[Snort-users] New Trend: Intrusion Prevention

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Mon Dec 16 10:49:08 EST 2002

Hi Marty,

Thanks for the feedback. I totally agree with your view on this. I
definitely don't see IPS replacing IDS myself either. I can see IPS
complementing IDS but that's about it.

Giga Research was at Infosec 2002 in New York and they and others mentioned
several times when speaking about security trends that IDS will be replaced
by IPS. They even went as far as to say if you haven't started a corporate
IDS installation at your company, to hold off and look at IPS. See their
website where they have articles speaking about this (www.gigaweb.com).

Another interesting speech at Infosec 2002 by Counterpane's Bruce Schneier
also backs up our view on this issue. He stated several times that
prevention is always the preferred security method over detection, BUT,
prevention will ALWAYS fail at some point, so detection will always be
needed as a backup.

Paul Sheahan
Manager of Information Security
paul.sheahan at ...2218...

-----Original Message-----
From: Martin Roesch [mailto:roesch at ...1935...]
Sent: Friday, December 13, 2002 5:21 PM
To: Sheahan, Paul (PCLN-NW)
Cc: Snort List (E-mail)
Subject: Re: [Snort-users] New Trend: Intrusion Prevention

Hi Paul,

I went into this on the Focus-IDS mailing list a month or so ago.  
Basically, I believe IPS to be more of a threat to (or the future of) 
firewalls.  Network intrusion prevention devices sit in-line and 
provide permit/deny access control for packet streams based on whether 
or not they're attacks.  Presumably it would be relatively easy as a 
subset of functionality to add stateful packet filtering that's just as 
good or better than any existing firewalling mechanisms.  Netscreen and 
Checkpoint have figured this out which is why you see them making 
aggressive moves in the IPS space.  Intrusion detection devices have a 
VERY different role in the network security hierarchy, they provide 
*awareness* of what's happening on your network, verification of policy 
compliance and detection of potential threats and anomalies.

Let me lay out two scenarios that illustrate why intrusion prevention 
!= intrusion detection and why it's unlikely that IPS will ever replace 
IDS (and how everyone who's trying to tell you it will is trying to 
sell you something):

1) IPS devices only guard the peering points (at best) of the network.  
In the case of an attack between hosts on the same broadcast network 
(inside the peering point) you have absolutely no coverage from the 
IPS.  In that case you'll need to have an IDS to tell you what's going 
on.  For example, someone in engineering decides to give him self a 
raise by hacking into the accounting department and making it so, your 
IPS has no visibility into this traffic so it's quite worthless.  Your 
IDS can see this traffic, however, and collect the relevant information 
for detection/enforcement of policy and evidence for law enforcement.

2) No IPS is going to be perfect, so attacks are going to slip through 
them.  It can be attacks that they don't know about (new buffer 
overflows, etc) or even traffic that's legitimate but hostile in your 
environment, like non-anonymous logins to your anonymous FTP server.  
If an attack gets by an IDS, how will you know?  You better have a 
pretty good IDS to tell you, that's how.

There are several other things I could highlight, but I think this 
illustrates the point pretty well and it's Friday and late and I feel 
like going home. :)


On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW) 

> I attended Infosecurity 2002 yesterday and there was much talk about
> intrusion detection going away, and intrusion prevention replacing it. 
> Does
> anyone know if there are any plans to include intrusion prevention
> functionality into Snort in the future?
> Thanks,
> Paul Sheahan
> Manager of Information Security
> Priceline.com
> paul.sheahan at ...2218...
> -------------------------------------------------------
> This sf.net email is sponsored by:
> With Great Power, Comes Great Responsibility
> Learn to use your power at OSDN's High Performance Computing Channel
> http://hpc.devchannel.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list