RE: Recent Gartner IDS/IPS report

My 2 cents......until technology catches up (which I doubt it will be by 2005, despite what Gartner states) there is no single solution for IDS or IPS (or a firewall). We use a suite of tools that includes both and a firewall. In our environment we have been very successful in spotting new and old exploits, true, learning to identify an attack was costly (at first) but in the long run, well worth the expense (which includes periodic classes to maintain and learn new techniques). But consider the cost if we had not identified a compromised system and it continued to stay compromised because the firewall or an IPS did not identify it (real world example, had a compromise that made it through a firewall and IP tables).

This whole argument (that Gartner started with an incomplete and not real world report) is like saying that human guards will be replaced by camera's, because it is cheaper to run a camera. Course someone has to look at the output from a camera, but who's counting. Camera's are good and guards are good, but together they make for tighter security.

Point being...everyone knows how to have good physical security, because they can see it, however, when it comes to electronic security, because it can not be seen, it is harder to justify, harder to implement, etc., etc..

Steven T. Carey
LCIRT-R Team Leader
Comm (256) 876-5811
Cell (256) 947-0225  

-----Original Message-----
From: Stephen Samuel [mailto:samuel@bcgreen.com] Sent: Wednesday, June 18, 2003 2:27 PM
To: Gary Golomb
Cc: focus-ids@securityfocus.com
Subject: Re: Recent Gartner IDS/IPS report

Gary Golomb wrote:
> An IPS is not an extension of an IDS, it's an
> extension of a firewall. And, that does NOT mean a
> firewall with an IDS on/next to it.

In my mind's eye, an IPS and an IDS are essentially the same technology with one big difference. For attack scenarios which are identifiable both a reasonably short time, *and* with a high degree of certainty, the IPS will be expected to shut down (or otherwise respond to) the connection.

As Gary points out, an IPS doesn't have the luxury of responding to some kinds of incidents -- either because they have too high of a false-positive rate (even .1% can be highly problematic with high enough traffic of certain types), or because by the time you realize what's going on, the attack may have already done it's dirty work.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Although it doesn't hurt to have two different methodologies between the IPS and IDS to recognize similar attacks, my gut feeling is that if your IPS is bocking something that your IDS wouldn't report, then you have one of two problems:

1. your IPS is blocking on false positives (generally bad)
2. Your IDS is set to be too insensitive (bad, as a corollary to Gary's comments).

I see an IPS as testing for that subset of IDS-recognizable issues that can be meaningfully responded to in the moment, with the addition of triage algorithms to decide whether it's serious enough for an automated response. The last bit would be a choice of response mechanisms for different attacks.

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   
http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------