OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
SEdwards_at_toplayer.com
Date: Thu Nov 21 2002 - 03:13:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Intrusion Prevention Systems are certainly the future, we have done a lot of
    research in this area over the last few months (mainly because TopLayer
    Networks has just launched it's own IPS product, the Attack Mitigator IPS -
    but I will try and keep this as unbiased as possible !) so I hope these
    comments are useful :

    To take any security box 'inline' accuracy is essential, as Audra comments
    in a later mail, you cannot be blocking stuff that may be legitimate.
    However I think it is also very important that you think about WHAT you want
    to actually block. Assuming you place an IPS at the gateway (either before
    or just after the firewall) you tend to be looking at a very different sub
    set of attacks, than (say) monitoring off the core switch. In our tests (and
    using ISS MSP's own figures) around 80% of all attacks that hit a gateway
    are worm related (URI attacks to port 80) and another 10% are DDOS or DOS
    related (SYN Floods etc.).
    These are classically attacks that cause a 'normal' IDS problems (i.e.
    Unicode variants of URIs, picking up SYN Floods etc.), and so a slightly
    different approach in the method of detection is needed to ensure "zero
    false positives" (i.e. URI Normalisation, variable SYN flood mitigation).

    Another key consideration is the type of platform that the device is running
    on - IMHO any device that sits 'inline' must be 'network friendly' - i.e. it
    needs to be built to the same design specifications as other 'networking
    devices' such as routers and switches etc. Only this way can you get the
    same reliability and availability that you would expect from rest of the
    network ... as if this thing crashes it will effect the performance of your
    network !. (Those of you who have regular arguments with infrastructure
    people should know what I am talking about ;-)

    And here in lies the problem that faces most IDS vendors, who want to move
    to IPS - their architecture is based on Intel platforms. So they are reliant
    on operating systems (which crash) and PCI architecture and chips which
    again have poor MTBFs. (ISS' Guard, SNORT /Hogwash, Netscreens' One Secure
    etc.) The last mention of Netscreen is a good example of what I am talking
    about. Before Netscreen came along, firewalls used to all be on Intel like
    platforms. Checkpoint esp. suffered due to the performance and reliability
    of a Intel platform. Netsceen came along and built their firewalls on ASIC
    and blew Checkpoint out of the water on these metrics. One Secure is an
    Intel based system, but since it's acquisition Netscreen has announced it is
    moving the technology to ASIC.

    Interestingly NSS Group (a prominent independent testing lab in the UK) is
    about to release some findings on the first tests they have run on IPS' - I
    don't know whether ISS participated, but it should be interesting ..

    So I guess in summary, IPS is a good thing (just look at the *real* damage
    that a Worm attack can cause, and an IDS is useless against it, apart from
    generating 1000's of alerts about it that is !) and it is certainly a virgin
    market - but when looking for an IPS, don't necessarily use the same
    criteria that you would use for an IDS sensor. Reliability, Availability and
    Accuracy are key.

    We have a new White Paper coming out on this subject in next week or so, so
    if you would like some more info please ping me a mail

    Cheers

    Simon
    ____________________________________________
    Simon Edwards
    Technical Evangelist
    Top Layer Networks
    US Office : + 1 508 870 1300 (x230)
    US Mobile : + 1 617 953 8764
    UK Office : + 44 1483 243 549
    UK Mobile : + 44 7971 959170
    www: www.TopLayer.com
    email: sedwardstoplayer.com
      
    "Perfecting the Art of Network Security"
    --------------------------------------------

    -----Original Message-----
    From: Anderson, Mike [mailto:Mike_Andersoncentraltechnology.net]
    Sent: 20 November 2002 11:55
    To: 'Osaro.Osagiealltelmd.com'; owner-issforumiss.net
    Cc: issforumiss.net
    Subject: RE: [ISSForum] INTRUSION DETECTION vs INTRUSION PREVENTION

    Look at Real Secure Guard, from ISS (formerly Black ICE Guard). It is a
    true "Intrusion Prevention" product from ISS.

    -----Original Message-----
    From: Osaro.Osagiealltelmd.com [mailto:Osaro.Osagiealltelmd.com]
    Sent: Tuesday, November 19, 2002 4:22 PM
    To: owner-issforumiss.net
    Cc: issforumiss.net
    Subject: [ISSForum] INTRUSION DETECTION vs INTRUSION PREVENTION

    My company is looking into intrusion prevention instead of ISS IDS. Does
    ISS have any plan to fully incorporate intrusion prevention into their
    architecture?
    We are currently looking into two companies --- OKENA.COM and FORESCOUT.COM
    Any thoughts on those two companies?

    Thanks
    Osaro Osagie
    CCSA, CCNA, CISSP
    ALLTEL Information Technology

    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
    https://atla-mm1.iss.net/mailman/listinfo
    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
    https://atla-mm1.iss.net/mailman/listinfo
    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo