[Snort-users] New Trend: Intrusion Prevention

Kevin Black snort_lists at ...7756...
Sun Dec 15 11:17:02 EST 2002


One thing I have not seen mentioned is the danger 
associated with the IPS. Most of the time when I hear 
people talking about IPS they refer to "shunning" the 
address associated with the alert or the activity. This is 
done by modifying the firewall or adding to the 
hosts.deny, (such as in portsentries case). etc. Suppose 
you are running IIS and I fired out a few packets at your 
business that would trigger IIS overflow alerts or scan 
alerts. The source address is spoofed as one of your 
remote sites. Maybe your mail is relayed and I use that 
address or even worse I spoof your downstream router or 
ISP's DNS server. 

IPS has its place and can be very useful but in a *very* 
limited capacity IMHO. The setup needs to be carefully 
thoughtout and the repurcussions need to be fully 
understood before it is installed. With all this in mind, 
until computers can actually creatively think and analyse, 
I will have to agree with Ofir in that IPS wont pose a 
threat to either firewall or IDS. Vendors will tell you 
different but in this day and age they will tell you 
anything to get the sale. These are the same vendors that 
told you and are still telling you that 128bit rc4 makes 
your wireless unbreakable. We all know better don't we :)

- Kevin Black


On Sat, 14 Dec 2002 10:41:06 +0200
  "Ofir Arkin" <ofir at ...949...> wrote:
>All,
>
>We cannot dismiss the importance of both IDS and IPS to 
>the security
>arena. 
>
>Unlike Marty I do not believe that IPS is a real threat 
>to the
>traditional Firewall market and for the big players. If 
>one is familiar
>with the recent add-ons and special features Checkpoint 
>firewall NG has
>and the ability to control desktop machines through the 
>usage of central
>policy and to control authority he can clearly see the 
>difference. Not
>that the big firewall players are not seeking other 
>markets...
>
>IPS is good to be installed on servers you wish to lay 
>another layer of
>security by controlling the system calls and/or 
>controlling the specific
>protocols allowed to that server and their respective 
>known (and
>sometimes unknown) attacks. You are able to defend you 
>servers against
>different threats. In my opinion it is a good concept, 
>and one that is
>very helpful. Sure, fine tuning might be a pain, but 
>there are products
>with generic defenses for some attacks that you simply do 
>not need to
>worry about those any more (take for example Entercept
>www.entercept.com). 
>
>Both technologies should be placed in a network and they 
>do not replace
>each other. They both present a very important aspect of 
>security for an
>organization.
>
>An IPS has a limited view on the Host it serves and like 
>a host IDS it
>lacks the global view. The issue of log/alert correlation 
>is another
>buzz word which is constantly getting into the security 
>product market
>(for example network forensics).
>
>If you do not have correlation between the information 
>gathered by your
>IPS systems or by your IDS systems than you will never 
>understand what
>stroke you or what is *really* going on. 
>
>This is just my opinion,
>
>Yours,
>Ofir Arkin [ofir at ...949...]
>Founder
>The Sys-Security Group
>http://www.sys-security.com
>PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On 
>Behalf Of Martin
>Roesch
>Sent: Saturday, December 14, 2002 12:21 AM
>To: Sheahan, Paul (PCLN-NW)
>Cc: Snort List (E-mail)
>Subject: Re: [Snort-users] New Trend: Intrusion 
>Prevention
>
>Hi Paul,
>
>I went into this on the Focus-IDS mailing list a month or 
>so ago.  
>Basically, I believe IPS to be more of a threat to (or 
>the future of) 
>firewalls.  Network intrusion prevention devices sit 
>in-line and 
>provide permit/deny access control for packet streams 
>based on whether 
>or not they're attacks.  Presumably it would be 
>relatively easy as a 
>subset of functionality to add stateful packet filtering 
>that's just as 
>good or better than any existing firewalling mechanisms. 
> Netscreen and 
>Checkpoint have figured this out which is why you see 
>them making 
>aggressive moves in the IPS space.  Intrusion detection 
>devices have a 
>VERY different role in the network security hierarchy, 
>they provide 
>*awareness* of what's happening on your network, 
>verification of policy 
>compliance and detection of potential threats and 
>anomalies.
>
>Let me lay out two scenarios that illustrate why 
>intrusion prevention 
>!= intrusion detection and why it's unlikely that IPS 
>will ever replace 
>IDS (and how everyone who's trying to tell you it will is 
>trying to 
>sell you something):
>
>1) IPS devices only guard the peering points (at best) of 
>the network.  
>In the case of an attack between hosts on the same 
>broadcast network 
>(inside the peering point) you have absolutely no 
>coverage from the 
>IPS.  In that case you'll need to have an IDS to tell you 
>what's going 
>on.  For example, someone in engineering decides to give 
>him self a 
>raise by hacking into the accounting department and 
>making it so, your 
>IPS has no visibility into this traffic so it's quite 
>worthless.  Your 
>IDS can see this traffic, however, and collect the 
>relevant information 
>for detection/enforcement of policy and evidence for law 
>enforcement.
>
>2) No IPS is going to be perfect, so attacks are going to 
>slip through 
>them.  It can be attacks that they don't know about (new 
>buffer 
>overflows, etc) or even traffic that's legitimate but 
>hostile in your 
>environment, like non-anonymous logins to your anonymous 
>FTP server.  
>If an attack gets by an IDS, how will you know?  You 
>better have a 
>pretty good IDS to tell you, that's how.
>
>There are several other things I could highlight, but I 
>think this 
>illustrates the point pretty well and it's Friday and 
>late and I feel 
>like going home. :)
>
>       -Marty
>
>
>On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul 
>(PCLN-NW) 
>wrote:
>
>>
>> I attended Infosecurity 2002 yesterday and there was 
>>much talk about
>> intrusion detection going away, and intrusion prevention 
>>replacing it.
>
>> Does
>> anyone know if there are any plans to include intrusion 
>>prevention
>> functionality into Snort in the future?
>>
>> Thanks,
>>
>> Paul Sheahan
>> Manager of Information Security
>> Priceline.com
>> paul.sheahan at ...2218...
>>
>>
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by:
>> With Great Power, Comes Great Responsibility
>> Learn to use your power at OSDN's High Performance 
>>Computing Channel
>> http://hpc.devchannel.org/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>-- 
>Martin Roesch - Founder/CTO, Sourcefire Inc. - 
>(410)290-1616
>Sourcefire: Snort-based Enterprise Intrusion Detection 
>Infrastructure
>roesch at ...1935... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:
>With Great Power, Comes Great Responsibility 
>Learn to use your power at OSDN's High Performance 
>Computing Channel
>http://hpc.devchannel.org/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:
>With Great Power, Comes Great Responsibility 
>Learn to use your power at OSDN's High Performance 
>Computing Channel
>http://hpc.devchannel.org/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list