[Snort-users] Re: [Snort-devel] IDS vs IPS

Mark Teicher mht3 at ...891...
Tue Sep 2 05:43:28 EDT 2003

<mht >

At 03:15 AM 8/28/2003, Bob Walder wrote:

>One important distinction
>Firewalls are about policy enforcement - IDS and IPS are about detection
>(as of THIS moment in time)
>I still see the IPS as an evolution of the IDS and not the firewall. In
>my opinion, the firewall is itself gonna have to evolve pretty damn
>quickly to stop the IPS going the whole hog and taking over its job too.

<mht> I have not a vendor who has addressed the full definition of IPS.

>YES - the two technologies have similar aims and will undoubtedly
>converge. BUT, who do you see winning the race? In my opinion, the guys
>who already have the flashy hardware and solid IDS/IPS technology will
>have an easier time of it than the firewall vendors (i.e. the likes of
>Tippingpoint and Intruvert/NAI).

<mht> Tippingpoint has IDS technologies and is not a true IPS as the same 
of Intruvert/NAI - In fact, Intruvert started out as a IDS appliance.

>By the way - why not ask NetScreen how hard it is to integrate IPS and
>firewall technology?! They already had a firewall appliance - if it is
>really that easy to converge these technologies (or if there really
>isn't a difference between them in the first place) then why have we not
>seen their IPS technology already fully integrated into their fancy
>firewall platform?

<mht> Still waiting for on answer what IPS technology is alll about. For 
example, Okena allows an administrator lockdown on Windows, svchost, and 
ntkernl.dll.. Hmm, how many windows applications do you think that breaks..

>Cisco is well placed to do this job too - it has the big switches which
>could take a flashy new IPS/IDS/firewall blade, and the in-house
>expertise with both firewall and IDS technologies. AND it understands
>how important it is for this stuff to be rock solid and scalable. Both
>Intruvert and Tippingpoint could probably also make a decent fist of it.

<mht> Same as above, Cisco Security Agent aka Okena is going to have the 
same issues as Tippingpoint and NAI.. Actually in fact the first eval of 
TippingPoint wasn't even fully done and had lots of bugs.. I just saw a 
recent eval from a friend of mine, and they stated the same thing, 
TippingPoint, great smoke and mirrors, but does not scale well with 10,000 

>But... It ain't easy! It will be a while before these things do
>converge, and until then I foresee a number of religious arguments over
>which technology is best, which technology is pure marketing hype, which
>technology came first, blah, blah, blah (i.e. a bit like this thread...

<mht> Convergence may be occuring, but I think IPS will integrate into IDS 
technology. IPS is just pure marketing hype.  How many Centrally Managed 
Desktop Firewall vendors just switched their web pages over to hyping 
themselves as an IPS product.. ??

>Oh... And no way am I advocating that any one of these technologies can
>displace the others right now - they all have their place. On my network
>I have two firewalls at the perimeter for the policy enforcement stuff
>(i.e. that's where I say "allow HTTP to this server on my DMZ, don't
>allow Telnet to anything, allow FTP to that server on my DMZ, and so
>on...). Behind those I have an IPS - also at the perimeter - to catch
>the bad stuff that the firewall lets through (i.e. the firewall says let
>through HTTP traffic, but there is a lot of nasty stuff that could ride
>on the back of that). And finally, I have IDS systems on the DMZ and
>internal networks just so I can mop up anything that might get through
>owing to the fact I don't want my IPS to block absolutely everything
>('cos it's just not ready for that yet!)

<mht> Ultimate Firewall Toolkit will save enterprises huge amounts of 
money, and also save the VC's huge amounts of money.. !!
I feel sorry for the VC's that have invested so much of their money into a 
technology that has about a 18month lifespan.. Takes the company 9 months 
to get something they can beta, takes them another 9 months to get it to 
work, and guess what some huge vendor comes out with a BIG APPLICATION that 
changes their world.. Anyone heard of SAP..

Products like Cenzic Hailstorm attempted to produce a product that helped 
vendors find Quality Assurance issues automatically.  Good technology, 
wrong market, also vendors didn't want to pay for a tool that pointed out 
deficiencies in their engineers.
IPS vendors want to point out holes in IDS vendors, it is going to be issue 
for vendors to address or have to persuade their customers to understand.. 
For example, a large company that is no.1 in the Fortune 500, paid lots of 
money for a desktop firewall solution, and now some IPS vendor comes along, 
and says btw, that solution blows chunks because it is not an IPS.. I don't 
think that customer is going to be convinced that they wasted lots of money 
on a solution that just got in place.
always a dilemma with new technology.  Anyone want to talk about PKI as 
great technology, but lousy implementation??
How about Managed Security Services ??
Boutique Consulting and why International Network Services will become No.1 
again. ??
How about instead or arguing about the difference between IDS and IPS, some 
of the engineers on the list should plan on developing ways of making 
self-healing applications and networks.
Now, I would pay a dollar for that... !!

/off soap box

going back to hide underneath rock for a few more years..

>I would LOVE to have just the one box for this.... But it's just not
> >> -----Original Message-----
> >> From: Jason [mailto:security at ...1585...]
> >> Sent: 28 August 2003 05:17
> >> To: Frank Knobbe
> >> Cc: bwalder at ...1455...; 'Mark Teicher'; 'Jeff Nathan';
> >> Vkmobile at ...2112...; snort-devel at lists.sourceforge.net;
> >> snort-users at lists.sourceforge.net
> >> Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
> >>
> >>
> >> Thanks, I think the matrix shows fairly well that the _new IPS_ is a
> >> natural evolution of the existing firewall.
> >>
> >> This is important to point out because there are existing
> >> investments in
> >> firewalls and these firewalls are rapidly closing the gap
> >> where needed.
> >> I know that CP has been moving in this direction for a while. It has
> >> also been my experience that they have been moving at an appropriate
> >> pace and the capabilities have been there when I've needed them.
> >>
> >> One final statement. You do not need the firewall to log
> >> content if you
> >> have an IDS that you can trust will not have a direct impact on the
> >> business should it be too critical of the data.
> >>
> >> You can also have confidence in your firewall because your
> >> IDS verifies
> >> what you told the firewall to do and covers your arse when you let
> >> something by because of business requirements or a human error.
> >>
> >> Frank Knobbe wrote:
> >>
> >> > On Wed, 2003-08-27 at 18:36, Jason wrote:
> >> >
> >> >>Bob Walder wrote:
> >> >>
> >> >>>My 0.02 worth is that a Network IPS (NIPS) is a device with two
> >> >>>interfaces that operates in-line to detect suspicious traffic and
> >> >>>INSTANTLY discard the offending packet and the rest of
> >> the suspicious
> >> >>>flow.
> >> >>
> >> >>What we have here is a definition of an IPS that matches pretty
> >> >>closely what firewalls have been able to do for some time.
> >> >
> >> >
> >> >
> >> > Not quite. There are difference in the way firewalls and intrusion
> >> > detection systems analyze data. For example, I have not seen a
> >> > firewall that can identify a CodeRed attempt by name for example.
> >> > Yeah, you can block HTTP methods and put limiters on URL's
> >> etc (you
> >> > mentioned CP as an example which can do that with HTTP
> >> content stuff).
> >> > But I have not come across a firewall with a 'signature
> >> set' like IDS'
> >> > have them......yet.
> >> >
> >> > It is true that most firewalls are under-utilized. However, an IPS
> >> > (being based on an IDS) has capabilities beyond a firewall. Policy
> >> > violations (or network flow anomalies) can be detected by
> >> firewalls
> >> > and cause some sort of reaction/enforcement (CP's SAM is
> >> one example).
> >> > However, firewalls don't have statistical anomaly
> >> detection like some
> >> > IDS' do.
> >> >
> >> > Let's draft a matrix of capabilities:
> >> >
> >> > Metric     | Firewall     | IDS          | IPS
> >> > -----------------------------------------------------------
> >> > Signature  | Limited packet | Extensive     | See IDS
> >> > Analysis   | inspection    | signature sets |
> >> >            | due to lack of | allow wide    |
> >> >            | rule set defin.| pattern match |
> >> > -----------------------------------------------------------
> >> > Protocol   | Mostly present | Present       | Present
> >> > validation |               |               |
> >> > -----------------------------------------------------------
> >> > Traffic flow| Present, that's| Present       | Present
> >> > Anomaly Det.| what they do  |               | Present
> >> > -----------------------------------------------------------
> >> > Statisitcal | Absent        | Present       | Absent (???)
> >> > Anomaly Det.|               |               | (as of today)
> >> > -----------------------------------------------------------
> >> > Packet Log | Logging mostly | capable of    | See IDS
> >> >            | high level    | logging content|
> >> > -----------------------------------------------------------
> >> > Protocol   | Present       | Absent        | Present
> >> > normalizat |               |               |
> >> > ion        |               |               |
> >> > ===========================================================
> >> > Activity   | Active        | Mostly Passive | Active
> >> >
> >> >
> >> > If someone wants to take this further, feel free. But as
> >> you can see,
> >> > IPS and firewalls are not quite alike (but neither are IPS
> >> and IDS! :)
> >> >
> >> > Regards,
> >> > Frank
> >> >
> >>
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list