RE: IDS vs. IPS deployment feedback

["Andrew Plato" <andrew.plato () anitian com>]

> In comparison to IDS, IPS is a immature technology!  
> Not only that but you have to deal with many things 
> on a IPS that you do not have to worry about on an IDS.  
> For heavens sake there are still commercial IPS vendors 
> out there (one of your business partners in fact) that 
> drop all out of sequence packets... Are you kidding me?!? 
> Don't these people understand the how the Internet works? 
> What end's up happening is that marketing folks for 
> companies pitch IPS as a silver bullet, an end all be 
> all security solution which is far from the truth.  
> Please stop!  In the end you are only going to hurt 
> the reputation of your company and the reputation of 
> what could be a great complimentary security technology 
> in an overall security strategy.  All of this because 
> the industry will have lost faith in the technology 
> due to your empty promises and marketing BS.

I have a serious question for you - have you ever been responsible for
an enterprise network and its security? I ask that because the threats
of dropped packets and the "nic that goes bad" all sound like FUD, not
experience. Dropped packets happen when people try to ram 1000mbps
through an IPS rated at 200Mbps. You have to size your IPS accordingly.
And the bad nic is easily solved with bypass units. Again - all this FUD
has many simple answers.  

Furthermore where is all this analytical power coming from? Most
enterprise networks are complex and have limited resources to handle
ANYTHING, let alone security. Most network admins and IT people spend
the majority of their time just keeping their organizations running.
They simply do not have the time or resources to baby an IDS and perform
intricate security analysis. 

Now, you could complain that this is because companies underfund IT.
That's a whole different issue, however. 

The reality is - IT departments need tools that can extend the expertise
of small staff. The more content that can be blocked and kept out of a
network, the less there is to deal with. 

Its easy to sit in the TOWER OF ULTIMATE SECURITY PERFECTION where Proxy
Firewalls are ABSOLUTELY PERFECT and IDSs are manned by eternally
vigilant experts. Of the hundreds of companies I have seen (from small
to gigantic) none of them have the IT resources to analyze IDS logs all
day and none of them implement proxy firewalls correctly. 

Now, maybe I am just seeing a totally skewed view of it all. I will
accept that. But I don't think so. I think security needs to be
transparent and easy as possible. And complex IDSs that generate 10000s
of alerts and stop nothing are quickly ignored when the staff gets busy.
And proxy firewalls are a small fraction of the market. 

> Yeah Ummm an IPS is nothing more than a layer7 "application layer"
firewall.

This is just false. Firewalls and IPS assume much different things. A
firewall is a static set of rules that say what is allowed and what is
not allowed. That's it. 

An IPS, on the other hand, lets everything through unless it does
something that it knows is bad. 

Now, before you have a triple-heart attack and say "what about stuff it
doesn't know about." Well, that's the eternal squeal of the paranoid,
isn't it? How do you defend against the unknown? 

The reality to that is - you can't.  Its impossible to defend 100%
against the unknown. You HAVE to make some type of educated guesses as
what is PROBABLE and defend against that which is MOST PROBABLE. And
that is exactly what and IPS does. It can look at a stream and say: "its
HIGHLY unlikely that this gargantuan binary package in the middle of a
ISAPI call is normal, so I am going to block it." 

I realize a lot of people fly off into a rage when you mention IPS to
them. And yes, a lot of the vendors are pretty bad when they sell IPS as
a silver bullet that will solve everything. But, by the same token
spreading inaccurate FUD about IPS isn't any better than some commission
hungry sales person telling customers that IPSs will solve everything.
Both responses have hidden agendas. 

When you clear away the hype and FUD, the value of an IPS obvious. You
can lower risk by knowing that set number of vulnerabilities are
blocked, thus reducing the number of incidents that need to be
investigated. 

_____________________________________
Andrew Plato, CISSP
President / Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm 




_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------