Re: amount of alarms generated by IDS

[nick black <dank () suburbanjihad net>]

On 2004-05-13, Wozny, Scott (US - New York) <swozny () deloitte com> wrote:

Note:  I speak here for myself, not on behalf of Reflex Security.

> My 2 cents is that "IPS" is an interim product set we won't be seeing in
> a couple of years.  Inline IDS exists, it's just what you call your IPS
> when you don't configure it to drop anything and just log events.  :)

I must respectfully disagree, sir.  As the designer of an inline IPS
product (functionally equivalent to a Layer 2 bridge) capable of
dropping individual packets before they reach the target host, there's a
very substantial difference.  Even the most naive system equipped in
such a way can defend hosts against known exploits used in a simplistic
fashion.  More advanced analysis based on simulation of victim state can
proactively defend against unknown exploit code given a description of
the vulnerability, as opposed to exploitation tools.  Is this easily
implemented or trusted?  No, but possible (within the limits of
classical decidability).  Is it any more difficult to trust than your
legion of IT staffers who swear they've patched each system?  Perhaps not.
Will your IPS possibly save the day once or twice?  It's quite within
the realm of events.  The IDS?  Not without your involvement, often too late.

> While the anomaly component of IDS is an interesting I don't know any
> network managers that would be willing to start dropping packets just
> because the pattern of their traffic is different today compared to what
> it was yesterday.  So some of the IPS signatures are no losers as long

If you noticed the network getting sluggish, and then noticed a
particular host happened to be providing a deluge of runt or otherwise 
corrupted Ethernet packets, would you not remove the machine from your
network -- because the pattern of traffic was different?  If you're
seeing gigabytes of data on an unused port known to be frequented by the
worm du jour, do you not perhaps filter the port?  All such
reactive measures are, to one degree or another, based on inferences
drawn from changes in patterns.  We react to the change by determining
if it is a negative one, our confidence regarding this conclusion, and
the possible side effects of remedy.  Sometimes, even network managers
will make mistakes -- it's the unfortunate reality of a nebulous problem
space, or as Ptachek and Newsham immortalized, "a game where men throw
ducks at balloons, and nothing is as it seems."  I know of no systems
which advocate large-scale filtering based on behavioral outliers
anything short of catastrophic.  Our use of stochastic models such as
these is but one factor in the total decision to filter.

Your ending comparison of IPS and firewalls seems largely an issue of
semantics and business acumen.  I see no difference, save common usage
with regard to scope of analysis.

-- 
nick black <dank () reflexsecurity com>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo


---------------------------------------------------------------------------

---------------------------------------------------------------------------