IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Wed, 5 Apr 2006 12:19:40 -0700
In comparison to IDS, IPS is a immature technology! Not only that but you have to deal with many things on a IPS that you do not have to worry about on an IDS. For heavens sake there are still commercial IPS vendors out there (one of your business partners in fact) that drop all out of sequence packets... Are you kidding me?!? Don't these people understand the how the Internet works? What end's up happening is that marketing folks for companies pitch IPS as a silver bullet, an end all be all security solution which is far from the truth. Please stop! In the end you are only going to hurt the reputation of your company and the reputation of what could be a great complimentary security technology in an overall security strategy. All of this because the industry will have lost faith in the technology due to your empty promises and marketing BS.
I have a serious question for you - have you ever been responsible for an enterprise network and its security? I ask that because the threats of dropped packets and the "nic that goes bad" all sound like FUD, not experience. Dropped packets happen when people try to ram 1000mbps through an IPS rated at 200Mbps. You have to size your IPS accordingly. And the bad nic is easily solved with bypass units. Again - all this FUD has many simple answers. Furthermore where is all this analytical power coming from? Most enterprise networks are complex and have limited resources to handle ANYTHING, let alone security. Most network admins and IT people spend the majority of their time just keeping their organizations running. They simply do not have the time or resources to baby an IDS and perform intricate security analysis. Now, you could complain that this is because companies underfund IT. That's a whole different issue, however. The reality is - IT departments need tools that can extend the expertise of small staff. The more content that can be blocked and kept out of a network, the less there is to deal with. Its easy to sit in the TOWER OF ULTIMATE SECURITY PERFECTION where Proxy Firewalls are ABSOLUTELY PERFECT and IDSs are manned by eternally vigilant experts. Of the hundreds of companies I have seen (from small to gigantic) none of them have the IT resources to analyze IDS logs all day and none of them implement proxy firewalls correctly. Now, maybe I am just seeing a totally skewed view of it all. I will accept that. But I don't think so. I think security needs to be transparent and easy as possible. And complex IDSs that generate 10000s of alerts and stop nothing are quickly ignored when the staff gets busy. And proxy firewalls are a small fraction of the market.
Yeah Ummm an IPS is nothing more than a layer7 "application layer"
firewall. This is just false. Firewalls and IPS assume much different things. A firewall is a static set of rules that say what is allowed and what is not allowed. That's it. An IPS, on the other hand, lets everything through unless it does something that it knows is bad. Now, before you have a triple-heart attack and say "what about stuff it doesn't know about." Well, that's the eternal squeal of the paranoid, isn't it? How do you defend against the unknown? The reality to that is - you can't. Its impossible to defend 100% against the unknown. You HAVE to make some type of educated guesses as what is PROBABLE and defend against that which is MOST PROBABLE. And that is exactly what and IPS does. It can look at a stream and say: "its HIGHLY unlikely that this gargantuan binary package in the middle of a ISAPI call is normal, so I am going to block it." I realize a lot of people fly off into a rage when you mention IPS to them. And yes, a lot of the vendors are pretty bad when they sell IPS as a silver bullet that will solve everything. But, by the same token spreading inaccurate FUD about IPS isn't any better than some commission hungry sales person telling customers that IPSs will solve everything. Both responses have hidden agendas. When you clear away the hype and FUD, the value of an IPS obvious. You can lower risk by knowing that set number of vulnerabilities are blocked, thus reducing the number of incidents that need to be investigated. _____________________________________ Andrew Plato, CISSP President / Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
(Thread continues...)