IDS%20vs.%20IPS:%20Which%20is%20better? - PowerPoint PPT Presentation

About This Presentation
Title:

IDS%20vs.%20IPS:%20Which%20is%20better?

Description:

I believe this to be wrong for the following reasons: IDS and IPS. Reasons IDS still works ... http://uk.news.yahoo.com/030905/175/e7mg3.html. IDS and IPS ... – PowerPoint PPT presentation

Number of Views:973
Avg rating:3.0/5.0
Slides: 21
Provided by: EPY
Category:
Tags: 20ips | 20which | 20better | 20is | 20vs | ids | is | mail | what | with | wrong | yahoo

less

Transcript and Presenter's Notes

Title: IDS%20vs.%20IPS:%20Which%20is%20better?


1
IDS vs. IPS Which is better?
  • www.SearchSecurity.com
  • TechTarget.com
  • Edward P Yakabovicz, CISSP

2
IDS and IPS
  • IDS
  • Passive Out of band
  • These devices can monitor and analyze events that
    occur on a network or system, thus looking for
    intrusion attempts based on signatures or
    patterns.
  • IDS requires careful tuning to network conditions
    to be effective, otherwise false positives are
    too high to make the system useful.

3
IDS and IPS (cont.)
  • IPS
  • IPS can provide more accurate alerts.
  • IPS uses multi-method detection.
  • False Positive may unnecessarily suspend a
    connection and therefore block legal traffic
    immediately.
  • Gartner This real-time response which registers
    attacks as legitimate events, even if those
    attacks have no bearing on the network, could be
    too disruptive to operations. (Ratzlaff)

4
IDS and IPS (cont)
  • IPS can identify that an intrusion has taken
    place and is able to provide the intruder's IP
    address. Network administrators still have to
    investigate the attack, determine how it occurred
    and correct the problem.
  • One of the reasons against aggregating all the
    network security in one box is that it
    contradicts the "defense-in-depth" or
    security-in-layers concept, thus failure in one
    area could mean a failure of the entire internal
    network.
  • IPS Fine Tuning and Network Tuning is more
    complex than IDS.
  • Point The cost of shutting down a connection due
    to false positives would cause more problems than
    it solves. IDS is the better bet.

5
InfoWorld
  • In simple terms, IDS may be perfectly suited for
    network attack monitoring and for alerting
    administrators of emerging threats. But its
    speed, performance and passive limitations have
    opened the door for IPS to challenge it as the
    proactive defense weapon of choice.
  • http//www.infoworld.com/article/03/04/04/14ips-sb
    _1.html, April 04, 2003

6
Gartner forecast on IDS
  • Gartner, Inc. released a document authored by
    Richard Stiennon entitled, "Intrusion Detection
    Is Dead - Long Live Intrusion Prevention.
  • I believe this to be wrong for the following
    reasons

7
Reasons IDS still works
  • Product or technology life cycle methodology as
    been proven for years (beginning, middle, end,
    start over) for IPS has just begun.
  • COST Maybe the larger corporations have
    the money to throw away 100,000 or more in
    current IDS technology, but who else can ?
  • IDS still provides a service.
  • IDS can be fine turned to work and product proper
    reporting.
  • This statement appears to show that now even
    Gartner has succumbed to marketing hype
  • (IDS v. IPS Commentary, By Gary Golomb, Posted
    By Eric Lubow, 6/16/2003 901 )

8
Difference between IDS and other devices
  • The main difference between an IDS and other
    security devices is the fact that it's
    out-of-band, or passive, in nature. It passively
    watches all traffic looking for SIGNS of attacks,
    compromise or other misuse. The key benefit to
    being out-of-band is that you have the ability to
    flag traffic that looks even the slightest bit
    "suspicious, while NOT being detected!

9
What about virus protection?
  • IPS would have to be fine tuned to block virus or
    malicious code attacks. Thinking down this path
    may lead to similar -- if not more -- false
    positives. IPS will shut down connections, while
    IDS will detect and report.

10
Looking for the Holy Grail of security
  • Security professionals are constantly looking
    for the "holy grail" of security products. They
    have bought firewalls, vulnerability assessment
    tools and intrusion-detection systems (IDS),
    hoping to find the ultimate security tool. The
    truth is much more difficult - security is an
    ongoing process that involves multiple layers of
    protection.
  • http//www.lucidsecurity.com/whitepapers.php

11
What about Code Red and IDS?
  • A good intrusion-detection system (IDS) could
    have mitigated the attack on Client Company, but
    probably would not have stopped it. This type of
    system would have alerted system engineers at the
    outset of the attack, and they could have then
    taken proactive and reactive steps to stop the
    infection however, with the speed at which Code
    Red spread it is hard to imagine effectively
    combating this worm through a hurried, manual
    patching process.
  • http//www.lucidsecurity.com/whitepapers.php

12
What about Code Red and IPS
  • Intrusion-prevention systems (IPS) that can
    intelligently block incoming exploits could have
    drastically altered the effect of Code Red at
    Client Company. Depending on the speed of the
    IPS, it could have been possible to stop the
    infection entirely. When used in combination with
    strictly controlled firewalls, standardized
    network policies and a good notification system,
    intrusion prevention engines significantly narrow
    the window of opportunity for crackers.
  • http//www.lucidsecurity.com/whitepapers.php

13
Market Growth
  • Infonetics Research has predicted that the IDS
    market will grow 43 to 149m by this time next
    year.
  • The market watcher believes that annual IDS
    revenue will hit 1.1bn by 2006, a compound
    annual growth rate of almost one third.
  • Infonetics reported that the IDS/IPS market is
    currently experiencing disruptive technology
    shifts. Although growth will continue during
    2003, the market will only really take off in
    2004.
  • http//uk.news.yahoo.com/030905/175/e7mg3.html

14
Industry Statements
  • This whole argument (that Gartner started with
    an incomplete and not real world report) is like
    saying that human guards will be replaced by
    cameras, because it is cheaper to run a camera.
    Course someone has to look at the output from a
    camera, but who's counting. Camera's are good and
    guards are good, but together they make for
    tighter security. Steven T. Carey
  • http//archives.neohapsis.com/archives/sf/ids/2003
    -q2/0293.html

15
Industry Statements II
  • If we are not careful installing and configuring
    IPS, we will just give attackers more tools to
    allow them to DoS us. Trust is quite difficult
    with current network infrastructure and protocols
    where everything can be forged... (we still use
    IPv4 most of the time to communicate, there are
    no reliable audit traces to feed even the perfect
    IPS). Omar Herrera
  • http//www.derkeiler.com/Mailing-Lists/securityfoc
    us/focus-ids/2003-06/0167.html

16
Industry Statements III
  • That is what upsets me the most about incidents
    like this. Because of the long history Gartner
    has with industry reporting, their documents
    carry a lot of weight for many organizations.
    Although, this recent track record of negligence
    is disturbing to say the least.
  • Gary GolombSenior Research EngineerDragon
    Intrusion Detection GroupEnterasys Networks

17
Conclusion
  • IPS may be superior, but again, the lifecycle of
    technology in general must be considered for it
    is critical.
  • Factors cost, setup, tuning (more than IDS), and
    version 1 or 1st generation.
  • Industry agrees Could have stopped Code Red and
    others, but will take time to implement and fully
    understand.

18
Questions?
  • Submit your questions to Ed by clicking on the
    Ask a Question link on the lower left corner of
    the screen.

19
References
  • http//www.linuxsecurity.com/articles/forums_artic
    le-7476.html
  • http//www.nwc.com/1411/1411colshipley.html
  • http//searchsecurity.techtarget.com/originalConte
    nt/0,289142,sid14_gci905961,00.html
  • http//www.ncs.com.sg/media/clippings_2003/apr_03/
    apr03_acw_ids.asp
  • http//www.derkeiler.com/Mailing-Lists/securityfoc
    us/focus-ids/2003-06/0167.html
  • http//archives.neohapsis.com/archives/sf/ids/2003
    -q2/0293.html
  • http//www.lucidsecurity.com/whitepapers.php
  • http//www.infoworld.com/article/03/04/04/14ips-sb
    _1.html, April 04, 2003

20
Thank you
Thank you for participating in this
SearchSecurity.com on-demand webcast. If you have
comments or suggestions for future webcasts,
e-mail the editor at webcast_at_searchSecurity.com.
Write a Comment
User Comments (0)
About PowerShow.com