Re: [ISN] Recent Gartner Report on IDS/IPS

From: InfoSec News (isnat_private)
Date: Tue Jun 17 2003 - 00:08:27 PDT

  • Next message: InfoSec News: "[ISN] When to Shed Light"

    Forwarded from: Russell Coker <russellat_private>
    
    Gary's posting had many good points, however there is one issue that I query:
    
    > An IPS, being in-line, does not have the indulgence of being able to
    > be highly sensitive to everything an IDS can. Since it is making the
    > decision to pass or not pass traffic, it has no room for
    > misjudgment. As such, that places a severe limitations on its
    > ability to find things off-line analysis offers. In addition,
    > analysis is limited to what can be accomplished in fractions of a
    > second. There is no opportunity for *real* analysis and correlation.
    
    Why can't an IPS be configured to log certain operations instead of denying 
    them?  Surely any good security tool should have the following options:
    
    1)  Quietly deny (routine errors such as unwanted SMB broadcasts and attacks 
        that are much too popular such as that SQL Server worm).
    
    2)  Deny and log (things that we don't want and don't expect to happen often 
        or which we want to respond to).
    
    3)  Allow (regular traffic).
    
    4)  Allow and log (traffic that we are unsure about but are forced to 
        permit, and traffic that is routine but which is significant for auditing).
    
    As far as I am aware all firewalls have all four options, and I would
    expect all IPS system to have them too.  Of course some products may
    fall short of my expectations, but that is only a problem with the
    implementations in question not with the concept.
    
    Can't we think of an IPS as just an IDS with the option of blocking?  
    Therefore if you configure the IPS for options 3 and 4 only then it
    will be an IDS.
    
    
    -- 
    http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
    http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
    http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
    http://www.coker.com.au/~russell/  My home page
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 02:26:33 PDT