Re: IPS, alternative solutions

[Justin.Ross () signalsolutionsinc com]

I actually somewhat disagree with the statement "its great for small mum 
and dad networks, but for large financial networks with billions of pounds 
flowing across them...".

I think an IPS really shines when deployed in a service provider model and 
assuming that the IPS engineer can write effective signatures, IPS' can 
protect even the largest networks (we had a class B) and do so with even 
the newest vulnerability. They can be deployed in failover and load 
balancing solutions, and they're actually pretty fast when they aren't 
weighed down with thousands of signatures. 

A previous government agency I worked with deployed an IPS at their 
perimeter. It blocked hundreds of thousands of attacks per day, but it 
didn't block ports or services. As a service provider I can't tell you how 
important this was. We could block Kazaa regardless of which port it used. 
We could block "cmd.exe" in all http traffic, we could block blank SQL 
passwords, we could block telnet root log-on attempts, etc. In the past, 
any system coming up on the network would be infected with nimda almost 
immediately. I couldn't go yell at our government customers for not 
securing their boxes and even if I did, nothing would change anyway 
(welcome to government).

In a service provider model, we couldn't go to the customer and force them 
to do anything. I couldn't tell them what they could or couldn't have as 
services, but I could say "I'm sorry but accounts with a blank SQL 
password cannot be accessed remotely." I could say "I'm sorry, but Kazaa 
is against our acceptable use policy and will be blocked", etc. I didn't 
have to say "I'm sorry you cannot use port 80 now because Kazaa uses that 
port", I could say "I'm sorry but nimda is never allowed to into our 
network from an external network". This provided me a very dynamic 
solution to protecting our networks, without hindering the individual 
agencies business needs. 

While vulnerabilities can be mitigated at almost all levels, such as 
people following good infosec policies or properly following OS 
hardening/patching guidelines, etc in some scenarios it just doesn't 
happen and when it doesn't an IPS is a great tool to have in your arsenal. 
Is it a magic bullet? No. Can someone show me one thing in information 
security that is?

I personally feel the IPS was worth every cent and an excellent solution 
in our position and I think a large majority of our customers would agree. 
I would advise any service provider to look closely at it as a viable 
solution to  defending their customer networks without interfering with 
their customers access needs .

Just my 0.02

-J






So far there has been a load of talk discussing which is the better 
technology. Personally i dont think IPS is ready for the big time. Yeah 
its great for small mum and dad networks, but for large financial networks 
with billions of pounds flowing across them, would you trust a technology 
to think and block what it seems as bad traffic?

So what are the alternatives?
I'd say more host based protection such as:

- Stack protection
- Application level firewalls (ModSecurity/SecureIIS)
- Host based firewalls

I'm interested to see what everyone else feels are alternatives to IPS


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------