I just found a great discussion on IPS that worked it’s way through several blogs I read. I am a little late in posting but I think this is a very interesting topic…and one that points out what I have thought for a while. Christopher Hoff, Alan Shimel, Mike Rothman and Richard Stiennon have all expressed opinions regarding IPS / UTM technologies as part of this discussion. Alan’s post, Are IDS/IPS’s becoming the next birds, is where this started..I think. I am not going to re-hash the discussions. It’s worth the time to read them yourself. I am going to expand on Chris’ comments on context.
“When I go out on the road to speak and address large audiences of folks who manage security, most relay the fact that most of them simply do not trust IPS devices with automated full blocking turned on. Why? Because they lack context.“
Yes!!! Thank You!!! I don’t see this changing as IPS becomes more commoditized, i.e. embedded in switches, UTM’s, etc.
“While integrated VA/VM and passive/active scanning adds to the data collected, is that really actionable intelligence? Can these devices really make reasonable judgements as to the righteousness of the data they see?”
I do not think adding vulnerability or scan data gives you actionable intelligence. I do think that if used properly that data can reduce your false positives thus allowing you to concentrate the alerts that are valid potential threats. Chris goes on to say:
“Telling me about flows across my network IS, I admit, mildly interesting, but without the fast-packet cracking capabilities to send flow data *including* content, it’s not very worthwhile..”
While I will say flow data is more than mildly interesting, this is true context and you will not get it with sFlow / NetFlow without overloading the switch / router. An inline IPS at the gateway or the firewall itself are in good vantage points to collect this information…and it shouldn’t overload them. Let’s say my IPS blocks a packet from 1.2.3.4 because of multiple failed POP3 logins. By itself it will probably not draw a lot of attention. It happens…people forget their email password. Maybe the signature is too tight and has known false positive issues so it gets ignored. In a system that provides true context you would be able to instantly look at all of the other traffic from / to that IP address. So now you see that over the past 2 weeks this same IP has sent syn packets to all of your ports below 1024, has tried to connect to your SSH port on the border router (which you forgot to filter) over 100 times and has a ton of dropped invalid packets to your IPSec VPN.
I would say that makes for actionable intelligence, but at a price. Think about the size / speed of the database that would be required to store that much packet / flow information for a reasonable amount of time. Add to that the ability to run queries on specific IP’s while still maintaining a solid insertion rate. That’s a lot of juice unless you have a spare Oracle cluster around somewhere 
During my tenure as CTO at NitroSecurity I often heard this referred to as “Data Wall”. The main reason I went to work for them was their approach is centered on the handling of security data.
It’s great to see someone else verbalize the need for context with respect to security alerts.
–Chris
Technorati Tags: IPS, IDS, UTM, Security, Vulnerability, Intrusion
Leave a Reply