IDS: RE: Can Of Worms - Attack Mitigation Systems vs. Network IPS

["Bob Walder" <bwalder () spamcop net>]

Joel,

One of the most sensible and well thought out responses to this type of
thread I have seen so far. Excellent explanation on where these types of
products fit, and why it is so difficult and dangerous to try and
pigeonhole them exactly.

Instead, potential purchasers need to define their requirements and then
examine products that provide the required functionality, instead of
just looking at all those products that now have the "IPS" box ticked on
their marketing literature.

An example of how difficult it is to categorise these things came out of
our latest IPS report (www.nss.co.uk/ips) where we were asked afterwards
by one person why the Top Layer device received NSS Approved status when
it performed so poorly in our signature coverage tests compared to the
likes of TippingPoint, NAI, ISS, etc. 

My reply was that it would have been very unfair to compare the Top
Layer device directly against products from those other vendors and thus
rate it poorly as an "IPS", since we would define it more as an "attack
mitigator" - thus when you look at what the product is DESIGNED to do,
it actually does it very well - hence we felt it deserved the NSS
Approved.

The poor old purchaser needs to become adept at reading between the
lines and seeing beyond those "vendor comparison" checklists that all
vendors are so fond of creating to show their products in the best
light. This market is still very immature and so there are still genuine
differences in the way these devices are architected, which means that
different products are more (or less) suitable for different
environments and tasks.

Our report attempts to explain that as much as possible but it remains a
difficult task, and will do until these devices are well established,
adopt a "generic" feature set that begins to look the same across all of
them, and start to become commodity items.... But don't be holding your
breath for that just yet... :o)

Regards,

Bob Walder
Director
The NSS Group




> > -----Original Message-----
> > From: Joel Snyder [mailto:Joel.Snyder () Opus1 COM] 
> > Sent: 30 January 2004 04:14
> > To: Andy Cuff; focus-ids () securityfocus com
> > Subject: Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS
> >
> >
> > Hmmm.  Well, I just handed in a huge story to Network World, 
> > comparing 
> > 11 of these products, and I also divided them into "rate based" IPS 
> > (i.e., things which tend to not look at content very much) 
> > and "content 
> > based" IPS.
> >
> > The problem with those characterizations is that there are products 
> > which do a little of both. For example, Top Layer is an outstanding 
> > rate-based IPS, but it also does content-based IPS.  Tipping 
> > Point is an 
> > outstanding content-based IPS, but it also does rate-based 
> > IPS.  (These 
> > are not the only examples, just two which come to mine easily).  And 
> > BOTH types of IPS do the same protocol anomaly stuff---it is easy to 
> > detect malformed TCP packets and LAND attacks, no matter 
> > what your area 
> > of specialty.  So both content-based and rate-based are also 
> > anomaly-detecting.  (this is why calling content-based IPS 
> > "signature-based" IPS is very incorrect)
> >
> > I believe that, over time, the good IPS products will tend 
> > to include 
> > both technologies as they understand them better.
> >
> > It is also, I believe, a severe mis-characterization to call every 
> > content-based IPS an "IDS with the IPS bit set."  For example, Check 
> > Point's InterSpect IPS (a very content-oriented IPS) would 
> > never do as 
> > an IDS; it's just not in its heritage. The reason that this 
> > statement is 
> > made is that IDS companies are ideally suited to do 
> > content-based IPS, 
> > ergo there are many IPS which *are* IDS with IPS 
> > functionality added. 
> > ISS is the most obvious example which comes to mind.
> >
> > What will happen in the long run is IPS technology will be 
> > incorporated 
> > into all sorts of products.  I realize that there's a lot of 
> > incentive 
> > to try and pigeonhole products (Gartner specializes in that sort of 
> > destructive characterization), but it seems better to 
> > consider products 
> > against a 2-space or 3-space of features and functions and 
> > place them 
> > there: firewall-ish, or content-based IPS-ish, or rate-based 
> > IPS-ish, 
> > for example.  This way we avoid putting products where they 
> > don't belong 
> > or unfairly comparing products which aren't really designed with the 
> > same goals in mind.
> >
> > jms
> >
> >
> > Andy Cuff wrote:
> >
> > > Hi Folks,
> > > Please pardon the above pun but this is another of those IDS 
> > > terminology issues that I'd like to thrash out to 
> > understand what the 
> > > members of this list think.
> > >
> > > Intrusion Prevention Systems are certainly the current 
> > flavor of the 
> > > month, Gartner's death of IDS has added to the marketing 
> > fervor for 
> > > vendors to have an IPS in their stable of products.  But 
> > what products 
> > > fit into the category?  There seems to be an ever 
> > increasing number of 
> > > DOS/Attack Mitigation Systems that are labelling 
> > themselves as IPS, 
> > > therefore after some offlist consultation I'd like to see 
> > what list 
> > > members feel about this statement that was passed to me by a 
> > > kind-hearted individual last week
> > >
> > > The main definition between NIPS and Mitigators would be 
> > Mitigators 
> > > are designed to do one specific job - detect and mitigate against 
> > > DOS/DDOS attacks and bilateral effects of worm activity. NIPS are 
> > > designed to detect malicious traffic and drop the 
> > packet/stream. NIPS 
> > > are not always necessarily good at mitigating DOS/DDOS attacks. 
> > > Mitigators generally do not have the signature coverage to provide 
> > > good NIPS functionality. NIPS are like IDS but in-line. 
> > Mitigators are 
> > > like firewalls but designed to detect and prevent DOS 
> > attacks rather 
> > > than enforce policy.
> > >
> > > I have moved many of the attack mitigators from my list of IPS at 
> > > http://www.securitywizardry.com/inline.htm to a new Attack 
> > Mitigation 
> > > System page at 
> > http://www.securitywizardry.com/idsdosmit.htm >> of which 
> > > I 
> > currently have 12 products listed
> > > Thanks for any time you can devote to this cause.
> > >
> > > take care
> > > -andy
> > > Talisker Security Tools Directory http://www.securitywizardry.com
> > -------------------------------------------------------------
> > ---------
> > > -----
> > -------------------------------------------------------------
> > --------------
> > >
> > -- 
> > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> > Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
> > jms () Opus1 COM    http://www.opus1.com/jms    Opus One
> >
> >
> > -------------------------------------------------------------
> > --------------
> > -------------------------------------------------------------
> > --------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------