Re: IDS vs. IPS deployment feedback

["Will Metcalf" <william.metcalf () gmail com>]

First let me preface my in line responses by saying that I develop an
open source IPS.

Regards,

Will

> 1. Immature Technology
>
> IPS is far from immature. The first in-line IPS was BlackICE Guard. I
> installed one of the first in late 1999. And all of the decent IPSs on
> the market have roots in IDS, which is many years older. IPS is at least
> 7 years old and at best 10 or more. In technology terms, that's mature.
>
> Consider anti-spam technologies. They basically did not exist in 1999.
> Now, everybody has some kind of spam control. Is anti-spam a mature
> technology?

In comparison to IDS, IPS is a immature technology!  Not only that but
you have to deal with many things on a IPS that you do not have to
worry about on an IDS.  For heavens sake there are still commercial
IPS vendors out there (one of your business partners in fact) that
drop all out of sequence packets... Are you kidding me?!? Don't these
people understand the how the Internet works?  What end's up happening
is that marketing folks for companies pitch IPS as a silver bullet, an
end all be all security solution which is far from the truth.  Please
stop!  In the end you are only going to hurt the reputation of your
company and the reputation of what could be a great complimentary
security technology in an overall security strategy.  All of this
because the industry will have lost faith in the technology due to
your empty promises and marketing BS.

> 2. False Positives
>
> This is ultimately an issue of tuning. If you think you're going to drop
> an IPS inline, slap some rules on it, and never touch it again - you
> shouldn't be getting an IPS. A well tuned IPS can be pretty lean on
> false positives. And frankly, what is worse - a few POSSIBLE disruptions
> due to false positives, or getting hacked and 0wn3d and losing your
> business.
>
> Moreover, IPS can dramatically reduce the number of events that require
> incident response. With an IPS, when you see a really nasty alert, you
> can take note and move along, because you know the IPS blocked it. This
> allows you the freedom to analyze more subtle attacks or problems.

That is the completely wrong approach to take regarding a security
incident. What is your IPS  not seeing? What happened before the
event?  What happened afterwards? I agree with Richard Bejtlich on the
idea that prevention will eventually fail.  This is why you must
always analyze IDS/IPS alert data along side host logs, session, and
full content data.

> Also, I think the DOS angle is WAY overhyped. Its frankly a weak excuse.
> If you consider that almost every switch and router on the market has
> plenty of DOS weaknesses, then an IPS really isn't much different. The
> DOS fears also stem from the idea that somebody could feed your IPS
> internal addresses and hence block normal traffic. Even with the most
> rudimentary router ACLs you can ensure this never happens.

  Yeah but your network isn't going to stop working if a nic goes bad
in your IDS sensor.  Yeah, Yeah bypass switches, nics.. But what is
worse?  The fact that your CEO can't send e-mail, or the fact that
your web server just got owned due to an IIS exploit that your IPS was
protecting against.

> 3. Firewalls
>
> Firewalls are not IPSs. All the firewall vendors, especially the big
> ones, are clamoring all over themselves to repaint themselves as
> "security appliances." Even application firewalls, of which there are
> few, rarely are good at true IPS functions.
>
> The fact is, firewalls are good at one thing - access control. Detailed
> protocol analysis and filtering is not what most firewalls were built to
> do. And any firewall that has added this feature, has done so merely to
> be competitive in the market. I cannot think of any firewalls that were
> built from the ground up to be both a good firewall and a good IPS.
>
> Firewalls, should be left to do what firewalls do best - access control.
> Leave the packet inspection to a dedicated system.

Yeah Ummm an IPS is nothing more than a layer7 "application layer" firewall.

> IDS Dead?
>
> IDS may not be dead, but its value is diminishing. While there is a
> place for IDS in some environments, I fail to see why anybody would get
> a passive defense when active defenses can be deployed to function in a
> passive manner. An active system that is deployed passively at least
> gives you the option to switch to active mode later.

Really, what kind of visibility do you have on your IPS device located
at key choke points throughout your network?  And how much visibility
do you have on your IDS device?  IDS and IPS systems are complementary
security technologies, in my opinion you should never replace one for
another.

> Moreover, the value of an IDS diminishes even more if you lack in-house
> analytical capabilities. The unexamined IDS is not worth having, to
> paraphrase good old Socrates.

If you don't have the in-house analytical capabilities you shouldn't
have an IPS either. The unexamined IPS is a far worse scenario, 
because the industry is selling people a false sense of security.  "I
drank what" to paraphrase good old Socrates.....

> These are, of course, my opinions. And naturally, I have a vested
> interest in people buying more IPSs - because I sell them.
>
> _____________________________________
> Andrew Plato, CISSP, CISM
> President/Principal Consultant
> ANITIAN ENTERPRISE SECURITY
>
> Your Expert Partner for Security & Networking
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> _____________________________________
>
> GPG public key available at: http://www.anitian.com/corp/keys.htm
>
>
>
>
> -----Original Message-----
> From: watsont [mailto:thomas.watson.b () bayer com]
> Sent: Thursday, March 16, 2006 11:56 AM
> To: focus-ids () securityfocus com
> Subject: IDS vs. IPS deployment feedback
>
> _________________________________________________
> NOTICE:
> This email may contain confidential information,
> and is for the sole use of the intended recipient.
> If you are not the intended recipient, please reply
> to the message and inform the sender of the error
> and delete the email and any attachments from
> your computer.
> _________________________________________________
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------