IDS: RE: IPS Futures

["Ed Donegan" <danceslikewhiteguy () hotmail com>]

I am curious how even wire speed IPS's analyze fragmented attacks without 
introducing network latency. Seems it would be a fairly fundamental problem 
for an inline network device.
> From: Joel M Snyder <Joel.Snyder () Opus1 COM>
> To: focus-ids () securityfocus com
> Subject: IPS Futures
> Date: Mon, 19 Jul 2004 09:40:45 -0700 (MST)
>
> In case anyone is interested in more fuel for the IPS fire, here is an 
> article
> that just came out in Information Security.  There are several editing 
> errors
> specifically related to product examples, but if you'll ignore those (e.g.,
> yes, I know that ForeScout is not host-based), the general concepts might 
> be of
> interest.
>
> ----
>
> Information Security Magazine
> July 2004
> Inflated Image
> Will intrusion prevention ever live up to its promise?
> BY JOEL SNYDER
>
> Intrusion prevention systems (IPSes) are being touted as the latest, 
> greatest
> savior of the network. And why not? Unlike signature-based intrusion 
> detection
> systems (IDSes), which passively examine traffic and trigger alerts based 
> on
> suspicious packets, IPSes perform intense application-layer inspection and
> actively block identified attacks. Where IDSes are good for
> after-you've-been-hacked forensic analysis, IPSes protect your digital 
> backside
> while an attack is in progress.
>
> That's what the marketing brochures say, anyway. The reality, 
> unfortunately,
> isn't quite so rosy. The state of the art in IPS is promising but immature 
> and
> incomplete. Characteristic of many emerging markets, there's little vendor
> agreement about what IPSes are, what they should do and where they should 
> live
> in the network. Some vendors pitch IPSes as perimeter-based devices 
> intended to
> replace firewalls. Others position them in front of or behind firewalls in 
> a
> belt-and-suspenders topology. Still others say IPSes should reside closer 
> to or
> on the host itself, preventing execution of anomalous kernel commands.
>
> On the enterprise front, the potential usefulness of IPSes is diluted by
> infrastructure complexity and the impracticality of deploying them deep 
> into
> the network core. IPSes work as advertised when placed inline on a network
> segment in which access control, authentication and authorization are 
> already
> carefully monitored and controlled. On large-scale, cross-platform networks
> where this isn't the case, an IPS approach to security is less useful.
>
> Given these realities, what's the future of IPS? In a word: hazy. Before I
> explore what that may mean to you, let's look a closer look at where we are
> today.
>  .....
>
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss426_art870,00.html
>
> jms
>
>
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
> jms () Opus1 COM    http://www.opus1.com/jms    Opus One
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
> learn more.
> --------------------------------------------------------------------------
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------