Re: Changes in IDS Companies?

Toby Kohlenberg wrote

> Very simply, when you are talking about controlling
> traffic to the sort of high value, production server
> that you are likely to want to put these
> things in front of, you cannot afford for it to
> ever generate a false positive.

Yes in theory, not so in practice. First off, most IPS, NIPS, GIDS...whatever you want to call them...shouldn't be tuned to the point where they are mass blocking anything that is a "maybe" to the engine. I see a NIPS as essentially a "smarter firewall." It isn't going to filter out every conceivable attack, just the ones that can be identified with a great deal of accuracy.

In that sense, the blocking ratio should be reasonably reliable. However, in theory I think you're right. There is a danger with these devices making "bad decisions" about traffic and blocking acceptable stuff.

> This means you need a standard IDS sitting behind it/next
> to it watching the same traffic with a more flexible
> implementation that may generate false positives from
> time to time but will also be more likely to catch
> well-hidden or novel attacks. The beauty of a passive
> IDS is that it can make mistakes and you don't get
> punished for it automatically.

This is still true. A conventional NIDS and HIDS always have value because they are "data collectors." A good IDS does more than just shoot off alerts, but can feed you data to start making your own decisions. In the same way that a NIDS can give you the heads up that maybe you need to make a change to a conventional firewall, a NIDS could do the same for a NIPS or HIPS solution.

> So, I'd guess the first question I'd ask anyone
> trying to pitch one of these things to me is, how
> have you validated that you have a false-positive
> rate that approaches zero and how would I tune the
> box to ensure it will never cut off legitimate traffic?

This question really depends on where you put a NIPS. This is why I am still hesitant to suggest people put these in front of an entire network. A segment or single system is one thing. A whole network is a different thing.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

However, like all systems, properly tuned, they can offer a lot of protection capability.

I suspect one of the problems with NIPS is that they will get confused with firewalls. Firewalls are, for most places I visit, set & forget devices. Organizations plug them in, configure them, and then never look at them again. A NIPS is more like an IDS. And you can't leave an IDS alone. It needs love and attention. The same is true of a NIPS. You can't just let it whirr. Somebody has to be paying attention to what it is doing. And when stuff gets blocked that should go through, the system needs to be tuned.

>As I think about it, this discussion really has a
> lot in common with the cross-over rate issue in
> biometrics (the ratio of false-positives to
> false-negatives). Any vendors care to provide a
> meaningful explanation of how they are handling this?

> That means no statements like "We use a cutting edge
> combination of signatures, protocol analysis, heuristics,
> anomaly detection and our very own Ingredient X!".

Vendors are always hesitant to make these claims, because the instant they make them, somebody comes out with Ingredient X Hacking Tool which, fairly or not, can ruin the entire credibility of the product. Never mind that the Hacking Tool only operates in the 4th dimension running off a antimatter engine, if a link to the source code hits slashdot, the company's reputation tanks.

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile