IPS!! Intrusion prevention systems

[blackart]

hey fellows

jus read a paper on the new IPS ie intrusion prevention systems. how practical are they??
how good are they??

as the white paper said it was a better chioce than teh conventional intrusion detection systems.
lemme know some of ur thoughts?? i guess that should the opt today in the networks today

[thehorse13]

You may want to read this existing thread. I think it covers what you are after.
http://www.antionline.com/showthread...hreadid=221668
Hope this helps.

[souleman]

From what I have read, it seems like nothing more then a company trying to make a new buzz word. Basically just an IDS and a firewall combined in one product. Maybe there is more to it then that, but thats the feeling that I have gotten from what I have seen.

[thehorse13]

When I think of "IPS" I think of a traditional IDS system with the ability to take action against a live attack. As we know, when an IDS is triggered, there has been an attack and you are being made aware of a comprimise but when an IPS is triggered, it has taken some pre-defined steps to thwart the attack.

Anyway, that's how I categorize the two.

[tonybradley]

I agree with that differentiation between IDS and IPS. Here is a quote from SecureWorks who claim to have "pioneered" IPS:

The heart of SecureWorks' Intrusion Prevention Service is our ability to prevent malicious network attacks. Traditional Internet security services are reactive and merely detect attacks, notifying the network administrator after the damage has already been done.

While I agree that one could argue that its semantics or just a buzzword I think that it represents a logical next step in the evolution of the technology. If I can have my "IDS" not only alert me but also protect the network by initiating proactive measures to block an attack I would rather have that over the simple alert notification.

[tampabay420]

so could this be easily done by dropping the malicous packets/data?
are we going to see IPS kernel patches, etc... anytime soon?

-that would be kind of neat...

[off subject]
btw- tonybradley, sorry about being harsh earlier about the spam...
you seem like an OK fella! c-ya around
[/off subject]

[thehorse13]

Good post Tony,

Let me play Devil's advocate for one moment on this topic.

I did a proof of concept with IPS systems for a very large facility (10,000 + users). The network architecture included hundreds of routers, switches and a handfull of firewalls. Now, Cisco makes IDS/IPS products and since we tend to lean towards their products, we picked the 4250 series IDS/IPS appliance for our test.

THE RESULTS
=====================
Since I know the canned countermeasures that the IPS will perform (easily obtained from Cisco), I can actually cause a DOS attack using the organization's IDS/IPS system. Since about 75% of all attacks come from inside your firewall, you can imagine what one can do to routers when tripping the IPS. In my case, the IPS noted that it sensed an attack, wrote it to the log and it pushed out changes to some core routers to fend off the attack. The changes shutdown web access. In the end, I had to manually go back and reset the rules on all the routers to restore internet connectivity.

Now with carefully designed organizational procedures, the downtime will be minimal. I just like to cover every angle as it really sucks to be nailed with scenarios like this from top management and not have a suitable response ready.

Anyway, hope this helps out!

[Tiger Shark]

There is a product out there called ForeScout that is an IPS that works in a slightly different way which you may find of interest.

The way it works is that it sits monitoring the incoming traffic outside the firewall looking specifically for the reconnaisance phase of an attack. What it then does is send false information back to the attacker and logs the attacker and the kind of information it sent back. It then sits and watches any contact with the "services" it had misrepresented. Since the "services" don't exist they can _only_ be as a result of the attackers reconnaisance and therefore can only be an attempt at further reconnaisance or an exploit itself. Thus it resets the connections and can call a Checkpoint, (I believe), firewall and block the offending IP.

You will note that at no time does it rely upon attack signatures bit more interestingly on reconnaisance signatures. It's response is entirely dependant upon the misinformation gleaned by the reconnaisance therefore technically is a proper defense against zero-day exploits and well known ones.

I have read more deeply about it and spoken with one of their reps. I do not know how well it works nor do I really wish to experiment with it..... Just thought you might like to know it's there and it is technically viable protection.

[thehorse13]

Yeah, I have seen appliances that respond exactly the way you have described. I should have noted that you can setup the Cisco appliance to operate in this mode too. Unfortunately, you will need two of them should you want to filter internal and external traffic. Good info Tiger!

[Noia]

Isn't IPS just a fancy way of saying Firewall? any how...it can't be much more than either a firewall or an IDS with an Automatic IP Block function.....hmm...might be a system hardener though..I dono...too late to Google it now...going to bed... I'll look over ittomorow If I get time.

- Noia