Intrusion Prevention Systems are certainly the future, we have done a lot of research in this area over the last few months (mainly because TopLayer Networks has just launched it's own IPS product, the Attack Mitigator IPS - but I will try and keep this as unbiased as possible !) so I hope these comments are useful :
To take any security box 'inline' accuracy is essential, as Audra comments in a later mail, you cannot be blocking stuff that may be legitimate. However I think it is also very important that you think about WHAT you want to actually block. Assuming you place an IPS at the gateway (either before or just after the firewall) you tend to be looking at a very different sub set of attacks, than (say) monitoring off the core switch. In our tests (and using ISS MSP's own figures) around 80% of all attacks that hit a gateway are worm related (URI attacks to port 80) and another 10% are DDOS or DOS related (SYN Floods etc.). These are classically attacks that cause a 'normal' IDS problems (i.e. Unicode variants of URIs, picking up SYN Floods etc.), and so a slightly different approach in the method of detection is needed to ensure "zero false positives" (i.e. URI Normalisation, variable SYN flood mitigation). Another key consideration is the type of platform that the device is running on - IMHO any device that sits 'inline' must be 'network friendly' - i.e. it needs to be built to the same design specifications as other 'networking devices' such as routers and switches etc. Only this way can you get the same reliability and availability that you would expect from rest of the network ... as if this thing crashes it will effect the performance of your network !. (Those of you who have regular arguments with infrastructure people should know what I am talking about ;-) And here in lies the problem that faces most IDS vendors, who want to move to IPS - their architecture is based on Intel platforms. So they are reliant on operating systems (which crash) and PCI architecture and chips which again have poor MTBFs. (ISS' Guard, SNORT /Hogwash, Netscreens' One Secure etc.) The last mention of Netscreen is a good example of what I am talking about. Before Netscreen came along, firewalls used to all be on Intel like platforms. Checkpoint esp. suffered due to the performance and reliability of a Intel platform. Netsceen came along and built their firewalls on ASIC and blew Checkpoint out of the water on these metrics. One Secure is an Intel based system, but since it's acquisition Netscreen has announced it is moving the technology to ASIC. Interestingly NSS Group (a prominent independent testing lab in the UK) is about to release some findings on the first tests they have run on IPS' - I don't know whether ISS participated, but it should be interesting .. So I guess in summary, IPS is a good thing (just look at the *real* damage that a Worm attack can cause, and an IDS is useless against it, apart from generating 1000's of alerts about it that is !) and it is certainly a virgin market - but when looking for an IPS, don't necessarily use the same criteria that you would use for an IDS sensor. Reliability, Availability and Accuracy are key. We have a new White Paper coming out on this subject in next week or so, so if you would like some more info please ping me a mail Cheers Simon ____________________________________________ Simon Edwards Technical Evangelist Top Layer Networks US Office : + 1 508 870 1300 (x230) US Mobile : + 1 617 953 8764 UK Office : + 44 1483 243 549 UK Mobile : + 44 7971 959170 www: www.TopLayer.com email: [EMAIL PROTECTED] "Perfecting the Art of Network Security" -------------------------------------------- -----Original Message----- From: Anderson, Mike [mailto:[EMAIL PROTECTED]] Sent: 20 November 2002 11:55 To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [ISSForum] INTRUSION DETECTION vs INTRUSION PREVENTION Look at Real Secure Guard, from ISS (formerly Black ICE Guard). It is a true "Intrusion Prevention" product from ISS. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 4:22 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [ISSForum] INTRUSION DETECTION vs INTRUSION PREVENTION My company is looking into intrusion prevention instead of ISS IDS. Does ISS have any plan to fully incorporate intrusion prevention into their architecture? We are currently looking into two companies --- OKENA.COM and FORESCOUT.COM Any thoughts on those two companies? Thanks Osaro Osagie CCSA, CCNA, CISSP ALLTEL Information Technology _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
