RE: Intrusion Prevention Systems - New Generation (new technologi es)

Most of the current intrusion detection techniques/technologies are not suitable to most of the existing attacks. System need to be dynamic in nature in order to detect and prevent from dynamics attacks. This means that those prevention systems must have the following technological capabilities:

1. Real-Time ADAPTIVE algorithms in order to automatic self tune thresholds and by that avoid false positive or miss detection algorithms
2. Deterministic and FUZZY detection algorithms in order to cover all today network and application level attacks
3. Advanced BEHAVIORAL ANALYSIS algorithms (such as spectral behavioral analysis)
4. Support some kind of automatic FEED BACK mechanism that will provide justification for continue with the chosen prevention method or to change it. A good feedback mechanism like that will help to decrease the false positive decisions, which also means that legitimate users will not be hurt
5. In-line product - In order to have all possible prevention capabilities with fast response
6. Dedicated hardware - obvious

These kinds of capabilities will provide good IPS. I think that when we say "next generation intrusion detection systems" we mean new technology like mentioned above.
Most will agree that the above algorithms/technologies are currently not supported in the traditional IDS and also not in most of the new product claimed to belong to the next generation products.

Of course it will take time to adopt such product but it will happen eventually

I think that vendors that really belong to that category are:

Intruvert : www.intruvert.com

Vsecure Technologies: www.v-secure.com

Tipping Point: www.tippingpoint.com

And very few more

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Chesla

-----Original Message-----
From: shannong [mailto:shannong@texas.net] Sent: Tuesday, November 05, 2002 4:33 AM To: focus-ids@securityfocus.com
Subject: RE: Intrusion Prevention Systems

A more legitimate name would be Intrusion Mitigation Systems. Surely, none of us operate under the guise that any of these systems can prevent intrusion to a system/network. Rather, they can stop the easy, obvious ones.

It seems were calling an reactive IDS and IPS. With that in mind,the techonology is definitely immature and unproven especially with respect to network based solutions. The problem isn't the reactive measures that "prevent intrusions", but rather it's the IDS engine that runs behind it that is the problem. I still consider IDS an immature technology.

Stopping something known to be "bad" is fairly "easy" with alogrithms and heuristics. The hard part is determing what's "bad". IDSs are not very effective at this yet. False positives make up a major part of the IDS events on any system I've seen. Sure, you can tune over a long period of time, but you'll still spend hours a day if you track down every alert. "Over tune", and you'll miss real events worth investigating. It is very easy to generate undesirable responses from reactive IDS solutions using spoofing, etc. to block legitimate traffic.

If an organization considers the risk of preventing legitimate traffic acceptable, then an IPS is worth looking into.

Most thoughts here are shared with a network based solution in mind. Host based IPS solutions are more palatable because they represent less threat to preventing legitimate traffic. Or at least limit the problem to a single host rather than to an entire network at large.

-Shannon

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: Andrew Plato [mailto:aplato@anitian.com] Sent: Monday, October 28, 2002 11:40 AM
To: focus-ids@securityfocus.com
Cc: roesch@sourcefire.com
Subject: Intrusion Prevention Systems

Martin Roesch wrote...

> Don't get me wrong, I'm not saying it's not a good idea, it's an

> of the IPS vendors at this point is overblown in my opinion and I

> so I thought I'd chime in. The deployed base of network intrusion
well
> as a raft of political hurdles that have not been addressed in any
sort
> of empirical manner yet with a deployed base of happy users.

I want to respond to a few things you said, Martin.

1. Intrusion prevention is hardly a "new" thing. I keep hearing people say how Hogwash is this amazing new thing. In reality, BlackICE Guard (now called RealSecure Guard), which is the exact same type of product, pre-dates Hogwash and all the other IPS products by almost 3 years. I was building and deploying Guard units when Hogwash was still an interesting idea being discussed on Snort forums. Guard is based on Network ICE's BlackICE which is, as we all know, the core of ISS's RealSecure NIDS.

I say this not in deference to Hogwash, but to point out that IPS is not a new idea. You could even argue that some firewalls, like WatchGuards, have rudimentary IPS features as
they can auto-block users who attempt to connect using spoofed IPs or other known (albeit lame) hacking tactics.

2. IPS is hardly a "test lab device" or unproven technology. I have Guard units deployed
all over the Pacific Northwest protecting critical mainframes, DMZs, and even some Linux clusters. These units are like tanks with practically zero down-time and exceptional performance. In one case, a Guard unit is defending a particular client's credit card system - and it has
blocked more script kiddies and hackers than I can well count. It is integrated with a comprehensive host-based IDS and some other NIDS and provides exceptional insight and capability for this customer.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3.However, I do agree with you that marketing can often pervert the true value and capability of
these systems. ISS and Network ICE have had a hard time positioning and selling Guard units because they are difficult to understand and hard to deploy. I have had success with them mainly because I sell them as appliance type units and I have special tweaks to make them really scream.

Furthermore, sales folks like to sell these as "all-in-one" high margin, high-price items. Ideally, IPS should complement and integrate with a comprehensive IDS offering and should never replace or supplant a traditional firewall.

> Sourcefire *is* working on IPS too, both with things like in-line mode

> operation and firewall interoperability through mechanisms like OPSEC.

> 've seen a lot of people advocating the widespread replacement of IDS

> to make that leap.

I agree that you cannot replace IDS with IPS. IPS is best seen as a "special use" type solution. I pitch Guard units to companies that have special areas that need exceptional defense. The most common application is as a last-defense layer in front of mainframes or UNIX clusters.

As for OPSEC interoperability - RealSecure has had this for eons. And honestly, I don't think I have ever seen anybody use it. That doesn't mean it doesn't work. But its hard to implement unless there is a very organized and well-planned IDS roll-out methodology used.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I also have some real reservations about any product automatically rewriting firewall rules. Better to have set firewall rules and then build in distributed, compartmentalized protection zones behind that firewall. IPS and more firewalls are better suited to this role than rewriting firewall rules at the perimeter.

> Do you think there's a conflict of interest here? Am I not allowed to

> have reservations about the technology even though I work on it? A
lot
> of people would debate the value of having the firewall reconfigured
by
> a NIDS, but people (like me) who work for companies that have features

> like that as requirements for the market they serve have to work
within
> the market reality even though they may have reservations about the

Think? I KNOW the technology is ready for prime time. I am sitting on a client base of highly satisfied customers using and enjoying the benefits on IPS devices. We've caught everything from nosy users to corrupt software at a HUGE national financial company with these devices.

However, IPS isn't for the faint of heart. It is a tough implementation. The tuning and use of such systems can be very dicey. And most people fall apart at the first dropped packet. There is a challenging integration process, but done slowly and done properly, it can work. And this isn't theory I am spouting here, this is my own personal experience.

> Can
> you speak to those? I notice you guys at Latis use Snort as your

> hit in its stateful inspection subsystems? How about in the same

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> or does it thrash? We had to get to *extremely* high loads in our
test
> lab traffic generators (~1M concurrent sessions) on our gigabit
product
> before we saw the degenerate thrashing situation Snort would descend

I'll be honest, I had a very hard time getting a Hogwash system to work at all. However, I will admit that I am irreparably biased by my BlackICE experience. So, when things don't look like BlackICE, I get itchy. I spent a good week or more trying to get the system running. When I did, I loaded up the segment (a fully switched 10/100 segment) to

about 75% utilization and my unit was really struggling to keep up. My tests were hardly scientific or reliable since I was mostly just playing with the system.

However, Guard systems I use have no problem handing fairly heavily loaded 100 Mbps segments. Gigabit guard is possible using load balancers. You can run multiple Guards
through a TopLayer IDS balancer and then achieve a true Gigabit Guard unit. So far there is
no single Gigabit Guard solution.

> I say it's not 100% ready for prime time because it hasn't been
to
> being an IPS advocate.

Well, if you need to see some successful IPS deployments, come out to Seattle or Portland and I would be happy to walk you through one of our Guard deployments (with the customer's approval of course) and show you how they're working.

One of my Guard units has been on-line consistently since March of 2000 with only occasional reboots and software updates.

Okay - I know what you're thinking. "Oh, you're just a vendor of these things and you'll say anything to sell them," Sure, I want to sell them. I need to pay a mortgage just like everybody. However, unlike most resellers who just shove products at their customers and mindlessly
bark marketing propaganda, my firm has always tried to sell stuff we KNEW worked. Its why I won't sell some unnamed technologies. I know they won't work and I know they are BS. (Besides, I sell, or at least try to sell, SourceFire!) Guard's work, and I can
prove it. Not with marketing BS, but real-world trials.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Lastly, I think its great you are openly questioning these technologies. They deserve questioning and debate. Its a testament to Sourcefire and yourself that you can appreciate market desires but also strive to openly discuss their real value. If more security firms were more open about their ideas and theories for technologies, they might be able to forge better technologies overall and ultimately satisfy market desires more appropriately.

Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
www.anitian.com  

• eSafe scanned this email for malicious content ***
• IMPORTANT: Do not open attachments from unrecognized senders ***