IDS%20vs.%20IPS:%20Which%20is%20better?

1
IDS vs. IPS Which is better?

• www.SearchSecurity.com
• TechTarget.com
• Edward P Yakabovicz, CISSP

2
IDS and IPS

• IDS
• Passive Out of band
• These devices can monitor and analyze events that
  occur on a network or system, thus looking for
  intrusion attempts based on signatures or
  patterns.
• IDS requires careful tuning to network conditions
  to be effective, otherwise false positives are
  too high to make the system useful.

3
IDS and IPS (cont.)

• IPS
• IPS can provide more accurate alerts.
• IPS uses multi-method detection.
• False Positive may unnecessarily suspend a
  connection and therefore block legal traffic
  immediately.
• Gartner This real-time response which registers
  attacks as legitimate events, even if those
  attacks have no bearing on the network, could be
  too disruptive to operations. (Ratzlaff)

4
IDS and IPS (cont)

• IPS can identify that an intrusion has taken
  place and is able to provide the intruder's IP
  address. Network administrators still have to
  investigate the attack, determine how it occurred
  and correct the problem.
• One of the reasons against aggregating all the
  network security in one box is that it
  contradicts the "defense-in-depth" or
  security-in-layers concept, thus failure in one
  area could mean a failure of the entire internal
  network.
• IPS Fine Tuning and Network Tuning is more
  complex than IDS.
• Point The cost of shutting down a connection due
  to false positives would cause more problems than
  it solves. IDS is the better bet.

5
InfoWorld

• In simple terms, IDS may be perfectly suited for
  network attack monitoring and for alerting
  administrators of emerging threats. But its
  speed, performance and passive limitations have
  opened the door for IPS to challenge it as the
  proactive defense weapon of choice.
• http//www.infoworld.com/article/03/04/04/14ips-sb
  _1.html, April 04, 2003

6
Gartner forecast on IDS

• Gartner, Inc. released a document authored by
  Richard Stiennon entitled, "Intrusion Detection
  Is Dead - Long Live Intrusion Prevention.
• I believe this to be wrong for the following
  reasons

7
Reasons IDS still works

• Product or technology life cycle methodology as
  been proven for years (beginning, middle, end,
  start over) for IPS has just begun.
• COST Maybe the larger corporations have
  the money to throw away 100,000 or more in
  current IDS technology, but who else can ?
• IDS still provides a service.
• IDS can be fine turned to work and product proper
  reporting.
• This statement appears to show that now even
  Gartner has succumbed to marketing hype
• (IDS v. IPS Commentary, By Gary Golomb, Posted
  By Eric Lubow, 6/16/2003 901 )

8
Difference between IDS and other devices

• The main difference between an IDS and other
  security devices is the fact that it's
  out-of-band, or passive, in nature. It passively
  watches all traffic looking for SIGNS of attacks,
  compromise or other misuse. The key benefit to
  being out-of-band is that you have the ability to
  flag traffic that looks even the slightest bit
  "suspicious, while NOT being detected!

9
What about virus protection?

• IPS would have to be fine tuned to block virus or
  malicious code attacks. Thinking down this path
  may lead to similar -- if not more -- false
  positives. IPS will shut down connections, while
  IDS will detect and report.

10
Looking for the Holy Grail of security

• Security professionals are constantly looking
  for the "holy grail" of security products. They
  have bought firewalls, vulnerability assessment
  tools and intrusion-detection systems (IDS),
  hoping to find the ultimate security tool. The
  truth is much more difficult - security is an
  ongoing process that involves multiple layers of
  protection.
• http//www.lucidsecurity.com/whitepapers.php

11
What about Code Red and IDS?

• A good intrusion-detection system (IDS) could
  have mitigated the attack on Client Company, but
  probably would not have stopped it. This type of
  system would have alerted system engineers at the
  outset of the attack, and they could have then
  taken proactive and reactive steps to stop the
  infection however, with the speed at which Code
  Red spread it is hard to imagine effectively
  combating this worm through a hurried, manual
  patching process.
• http//www.lucidsecurity.com/whitepapers.php

12
What about Code Red and IPS

• Intrusion-prevention systems (IPS) that can
  intelligently block incoming exploits could have
  drastically altered the effect of Code Red at
  Client Company. Depending on the speed of the
  IPS, it could have been possible to stop the
  infection entirely. When used in combination with
  strictly controlled firewalls, standardized
  network policies and a good notification system,
  intrusion prevention engines significantly narrow
  the window of opportunity for crackers.
• http//www.lucidsecurity.com/whitepapers.php

13
Market Growth

• Infonetics Research has predicted that the IDS
  market will grow 43 to 149m by this time next
  year.
• The market watcher believes that annual IDS
  revenue will hit 1.1bn by 2006, a compound
  annual growth rate of almost one third.
• Infonetics reported that the IDS/IPS market is
  currently experiencing disruptive technology
  shifts. Although growth will continue during
  2003, the market will only really take off in
  2004.
• http//uk.news.yahoo.com/030905/175/e7mg3.html

14
Industry Statements

• This whole argument (that Gartner started with
  an incomplete and not real world report) is like
  saying that human guards will be replaced by
  cameras, because it is cheaper to run a camera.
  Course someone has to look at the output from a
  camera, but who's counting. Camera's are good and
  guards are good, but together they make for
  tighter security. Steven T. Carey
• http//archives.neohapsis.com/archives/sf/ids/2003
  -q2/0293.html

15
Industry Statements II

• If we are not careful installing and configuring
  IPS, we will just give attackers more tools to
  allow them to DoS us. Trust is quite difficult
  with current network infrastructure and protocols
  where everything can be forged... (we still use
  IPv4 most of the time to communicate, there are
  no reliable audit traces to feed even the perfect
  IPS). Omar Herrera
• http//www.derkeiler.com/Mailing-Lists/securityfoc
  us/focus-ids/2003-06/0167.html

16
Industry Statements III

• That is what upsets me the most about incidents
  like this. Because of the long history Gartner
  has with industry reporting, their documents
  carry a lot of weight for many organizations.
  Although, this recent track record of negligence
  is disturbing to say the least.
• Gary GolombSenior Research EngineerDragon
  Intrusion Detection GroupEnterasys Networks

17
Conclusion

• IPS may be superior, but again, the lifecycle of
  technology in general must be considered for it
  is critical.
• Factors cost, setup, tuning (more than IDS), and
  version 1 or 1st generation.
• Industry agrees Could have stopped Code Red and
  others, but will take time to implement and fully
  understand.

18
Questions?

• Submit your questions to Ed by clicking on the
  Ask a Question link on the lower left corner of
  the screen.

19
References

• http//www.linuxsecurity.com/articles/forums_artic
  le-7476.html
• http//www.nwc.com/1411/1411colshipley.html
• http//searchsecurity.techtarget.com/originalConte
  nt/0,289142,sid14_gci905961,00.html
• http//www.ncs.com.sg/media/clippings_2003/apr_03/
  apr03_acw_ids.asp
• http//www.derkeiler.com/Mailing-Lists/securityfoc
  us/focus-ids/2003-06/0167.html
• http//archives.neohapsis.com/archives/sf/ids/2003
  -q2/0293.html
• http//www.lucidsecurity.com/whitepapers.php
• http//www.infoworld.com/article/03/04/04/14ips-sb
  _1.html, April 04, 2003

20
Thank you
Thank you for participating in this
SearchSecurity.com on-demand webcast. If you have
comments or suggestions for future webcasts,
e-mail the editor at webcast_at_searchSecurity.com.