> i know this list has been through the IDS pro/con discussion > already, so we don't need to re-hash it, but i think we > should clarify the differences between IDS and IPS. I have actually been working on a white paper that aims to define the difference between IPS, IDS, and firewall. The paper is obviously biased, since I am basing it on my experience and expertise, but essentially my core definitions are: IPSs: - Perform some kind of analysis of communications and/or system behavior to identify dangerous or potentially dangerous activity or access. - Include both rule and signature-based analysis techniques. - Have the internal ability to *automatically* respond to identified threats with an active protection mechanism such as blocking the offending communications or preventing malicious code from running. - Do not rely on a secondary device (like a firewall) to implement protection measures. - Include a central alerting and reporting mechanism where administrators can control the protection/detection engine and analyze events. IDSs: - Perform some kind of analysis of communications and/or system behavior to identify dangerous or potentially dangerous activity or access. - Include both rule and signature-based analysis techniques. - Include an alerting and reporting mechanism where administrators can analyze events and control the detection engine. Firewalls: - Provide access control to a network or system. - Include rule-based system to prevent or allow access. Essentially, an IPS is an IDS and a firewall mated together. An IPS can do both bulk access control and analyze for intrusions. Many technologies that claim to be IPS, are really just feature-rich firewalls or response-capable IDSs. For example, some firewalls can actively respond to spoofed addresses or perform some application layer proxying and filtering. I still classify these as firewalls, but they are moving toward the IPS space. WatchGuard for example does an outstanding job with its SMTP, HTTP, and DNS proxies at filtering out a lot of nasty stuff. Some IDSs are trying to be more IPS-like as well. For example, some IDSs claim they are an IPS because they can write OPSEC rules to a Checkpoint firewall. In my opinion, a true IPS has its own protection measures. It shouldn't rely on another product to protect. Another misconception I am hearing recently is that behavior analysis is the only true IPS. Behavior analysis refers to monitoring system-level functions, such as kernel calls. I think behavior analysis is merely one variant of IPS. And its not always a good one, as it tends to scale poorly and can totally miss network-based attacks that, for all purposes, look like legitimate system behavior. (Actually, behavior analysis and network analysis are due for convergence, soon.) __________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ > -----Original Message----- > From: Justin Kurynny [mailto:justink@private] > Sent: Tuesday, June 24, 2003 10:53 AM > To: Andrew Plato; crime@private > Subject: RE: CRIME IDS is dead says Gartner > > > i haven't read the article, but i'll make a general comment > anyway. there is a difference between IDS and IPS. if Gartner > is only talking about IDS, i agree with the hypothesis that > IDS is likely to go extinct. however, IPS apparently has > value because it's actually doing something to actively fend > off the attack in real time. [anyone feel free to jump in > here if this statement exaggerates reality.] > > > justin > > justin kurynny > manager of network engineering > waggener edstrom, inc. > > * > > -----Original Message----- > From: Andrew Plato [mailto:aplato@private] > Sent: Monday, June 23, 2003 6:35 PM > To: crime@private > > Some of you have probably seen this. Its been all over the > news and elsewhere. > > http://www.informationweek.com/shared/printableArticle.jhtml?a > rticleID=1 > 0300918 > > ------------ > > EXCERPT from article > > Intrusion-detection systems-software that attempts to spot > and report attacks against information systems-will no longer > be a defense in the information security pro's arsenal by > 2005. That's the prediction coming out of research firm Gartner. > > "IDS as a security technology is going to disappear," says > Richard Stiennon, a Gartner research director. > > Stiennon contends that organizations are going to so > successfully harden their internal systems that the > "burglar-alarm" service intrusion-detection systems provide > will no longer be necessary. "Imagine a world where there are > no intrusions," he says > > ------------ > > This is another example of some of the mis-information that > is getting out there about IDS/IPS technologies. Hardening > systems and using IPS are a great way to stop attacks. But > without some kind of monitoring, you simply cannot be sure. > This is like removing the camera from a bank because the bank > buys a really nice vault and puts great locks on the front > doors. While I would like to imagine a world where there are > no intrusions, I don't think that world is coming any time soon. > > However, I am certain, that without monitoring, you'd never > know if there WAS an intrusion. Hence, there is a certain > absurdist logic here: "We have no IDS, our systems work, so > we must be safe." Riiiiight. > > Personally, I think Gartner's report is more a product of > poor IDS implementation and management. In the rush to get an > IDS, many organizations do not take the time or effort to > properly integrate, tune, and manage the system. As such, the > system produces a ton alerts, which quickly get ignored. > > Also, IPS has a place and I am a big advocate for it, the > idea that IDS will disappear is absurd. Any decent "defense > in depth" strategy must consider multiple points of > monitoring and response. IDS is merely one piece of the > puzzle. A valuable piece (when its used properly.) > > Anyway, Anitian published a response on our web site: > http://www.anitian.com/corp/papers/Gartner%20Response.pdf Curious to hear other reactions. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 12:16:29 PDT