Hosting Provided By

Re: [Snort-users] Re: [Snort-devel] IDS vs IPS

From: Jason <security(at)brvenik.com>
Date: Wed Aug 27 2003 - 19:36:38 EDT

my $.02 AU

Bob Walder wrote:

>>>I would someone on this list to actually define Intrusion

What we have here is a definition of an IPS that matches pretty closely what firewalls have been able to do for some time.

There are packet _inspecting_ firewalls and proxy based firewalls, both of these can drop or block the offending traffic. An IPS as defined above can even be certain types of routers. These are completely different than the "Monitoring" devices designed to observe, they are "Control" devices designed to enforce.

I think that lumping in these "new" products with the "Intrusion" category is an injustice to the many capable firewalls and routing products that have been available for so many years and already performing this function.

>
> IDS, NIDS and HIDS are well-enough defined already, and NO passive IDS

Do you need help?

This here be religion if you ask me. The mere presence of an IDS without any active element can be classified as an IPS. Now before we go jumping around and hootin and hollerin consider this.

You have a flexible IDS that you can create your own signatures for. The signatures you create are designed to verify the firewall policies that are supposed to be in place. Any deviation from this policy is unknown to the environment and should be mitigated or made known.

Now one might say that the IPS is designed for this, you would be correct. The firewall in place is designed for this and the people problem most likely caused there to be an unknown threat allowing the bypass of the firewall. This same problem still exists for the new breed of firewall. You ask how the IDS has performed an IPS role? It has done this by alerting your security staff to a situation that needs attention before that situation can ever be used to launch an attack. Key to this is the use of the "S" or system. Maybe the branding should be IPD for Intrusion Prevention Device. Since this device is supposed to prevent can you sue if it fails to prevent an intrusion?

>
> By operating in-line, an effective IPS device can drop the offending

Does anyone know how the dropped packet(s) that are part of an established session get handled on the server side of the connection? This could be my ignorance of how the latest inline devices work, I've not had a chance to play with them myself. Some of the questions that I have are.

What if the dropped packet thwarts the attack but leaves the session open? Will the end server be subjected to a DoS by filling state tables?

What about the mass DoS of services because the IP device sends a reset to mitigate this state problem?

What data corruption can the connection being aborted cause? What if the suspect packet was in the middle of a database transaction?

Do you need more help?

What if the sanitized packet ( another way to mitigate the state problems ) causes the server to respond with different data? Does this create liability issues for the business? What if that data is customer data? What if it is your bank account balance being reported as 0?

What if it is used to drop a connection for a protocol designed to re establish?

Imagine the use of these firewalls to drop packets that are part of a mail message, the mail server can sit and wait for the rest of the data. This data never arrives and the connection times out so the sending server assumes a problem and queues up the message to send again. Wash, Rinse, Repeat. You have created a DoS for both systems.

>
> By the way, don't get TOO hung up on terminology - yes, they WERE

I have to disagree here. I think the "I" in IPS implies absolute scrutiny of the data seen and when the "PS" is in doubt it can either block or raise the issue for further inspection. If you do this then what you really have is a gateway IDS.

>
> Where it gets interesting is the argument that IPS has nothing to do

IPS is an evolution of the firewall, a rebranding of existing technology in an attempt to capitalize on the security fear present today.

> a whole heap more work to do than an IDS box and thus has to be more

Can we help you?

It has to behave like a firewall not an IDS. Throw up a cluster of CP NG and you have just that all the way into multi gigabit speeds with VPN and proxies to boot.

> accept it as part of their infrastructure then they'd better be pretty

You also have the failure case where the IPS fails open, that is it passes all traffic like a failed tap. You had better hope that there is a good firewall there and a good IDS to back you up.

> And just to round off the definitions, we have Host IPS (HIPS). This

The definition given above of an IPS plays right into this spin doctoring. I think it is important remember that the new definition called IPS is the same as the capabilities of modern firewalls and it is nothing new, the same problems that have prevented wide usage in the firewall space still plague the inline devices and then some extras have been added. The phrase "Trust but verify" comes to mind here.

>
> Regards,
>
> Bob Walder
> Director

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Aug 27 19:44:51 2003

This message: [ Message body ]
Next message: Frank Knobbe: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Previous message: Peteris Krumins: "Re[2]: [Snort-devel] 'react'"
In reply to Bob Walder: "RE: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Next in thread: Frank Knobbe: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Reply: Frank Knobbe: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT