Penetration Testing mailing list archives
Re: IPS Comparison
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Thu, 22 Dec 2005 08:51:26 -0500
On Wed, 2005-12-21 at 08:24 -0500, Dave Bush wrote:
I'm going with "Well I read..." for my info on this, but the article by Ed Skoudis and Mike Poor
I'm certainly not Mike or Ed, but I do sometimes pay them on TV. ;-)
From their reviews I'd be probably most interested in either the Top Laywer box or the ISS box. Ths ISS box uses closed signatures, which I'm not thrilled about,
The big problem with a closed signature language is zero tweaking. False positives are a fact of life and when you are dealing with a closed signature language your choices are either "on" or "off" and that's it. You can't tweak the sig to weed out false positives while still having a functional signature. You can't even tweak the sig to catch possible variations of the attack. In short, you are stuck with what the vendor ships you. If your network matches their interpretation of "the average network", life is good. If not, your hosed. Mike goes into even more detail about this whenever he lectures.
but they found it to have "stellar detection."
Remember that an IPS is nothing more than a stateful inspection firewall that also tries to match malicious patterns in the payload. With this in mind, you are talking about being limited to detecting known attacks only. So if your IPS vendor can get you a sig (or you can write one yourself) faster than you can patch the vulnerability, there is value add to having an IPS. If not, well, you are doing little more than detecting and weeding out attacks that you are not vulnerable to anyways. IMHO there are cheaper ways of getting this warm fuzzy and feeling. There is an exception to this, which is another approach that is taken by some IPS vendors. This involves checking for indications of a successful attack. For example a packet headed out to the Internet that contains the string "C:\" could be considered suspicious and a possible indication that an attack has breached the perimeter. Nice thing about weeding these out is you have the potential to block 0-day because you are detecting on the actual problem rather than just a symptom. Of course this brings us back to the closed signature language thing. What if the above simple pattern generates false positives? You now either live with reduced functionality or need to disable a sig that could be extremely useful. If you have access to the sigs, you simply tweak to avoid the false positive condition and life is cool. Please note that I'm implying that IPS is useless. I'm simply saying its not magick to cure all that ails you and that its a security tool like many others with strengths and weaknesses. Everyone's network is different so what works in one environment may bomb in another. It really depends on traffic patterns, what other security measures are in play, and a host of other variables. HTH & happy holidays, Chris ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: IPS Comparison krishy_k (Dec 19)
- Re: IPS Comparison InfoSecBOFH (Dec 20)
- <Possible follow-ups>
- RE: IPS Comparison Josh Perrymon (Dec 20)
- Message not available
- Re: IPS Comparison Dave Bush (Dec 21)
- Re: IPS Comparison Chris Brenton (Dec 22)
- Re: IPS Comparison Vic N (Dec 24)
- Message not available
- Re: IPS Comparison neal wise (Dec 21)
- Re: IPS Comparison Brian Recore (Dec 27)
- RE: IPS Comparison Talisker (Dec 21)