Hi Mike,

This is a funny article. First they say IDS is a failure and then they say this same functionality is moving toward firewalls. This means that the functionalty of content checking itself is still important. What they probably mean to be a failure is Intrusion Detection, without Prevention, so only logging.

"Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities."

As you know Juniper has the ISG in which the IDP service modules can be inserted, and it can also do antivirus. So this seems a correct observation that this functionality moves into firewalls.

Cheers,
Casper

posted January 15, 2007

I would have to concur. To make IDS or even IPS effective, one must have a combination of personnel, processes, other complimentary security solutions such as HIDS and HIPS, and various other countermeasures. Intrusion detection by itself still requires too much attention, thus creating an administrative overhead for security personnel. In fact, this is where many organizations outsource IDS management to 3rd party managed services that have 24/7 NOC resources. It is definitely worth one's money to invest in a multi-purpose security platform such as Juniper Netscreen's ISG 1000 Fortinet devices which combine IPS, firewalling, VPN, network-level virus protection, and other advance features. Without having any specific bias toward one vendor’s platform; there are several choices on the market and it will largely depend on an organization’s requirements and what specific features it needs.

Aside from managing intrusion prevention, investigating issues, and providing incident handling and reporting, many organizations will choose solutions based on the bandwidth available and want to make sure that IP or other services work effectively given that particular bandwidth. There are solutions that integrate better into existing switching and routing environments then others, and they offer features like intrusion prevention, firewalling, 802.1X Port Authentication, virus protection, application-inspection, VPN, and more. They can often be easily upgraded to handle larger bandwidth requirements.

Along with any IPS/Security solution one will need to determine what it is they will manage the solution with, and whether this management platform can help manage other components or aspects of security throughout the enterprise or enterprise network. Any large IPS implementation should be augmented by some kind of aggregation and correlation solution like Cisco MARS in order to reduce the amount of time spent investigating issues, managing intrusion events, responding to incidents, and/or retaining records of events for audit trail purposes. It is also hopeful that organizations considering spending money on network security consider security at the host level and how they grant access to systems, networks, or applications. At an enterprise level view they should then be concerned with how they manage access rights to almost any resource, how they restrict access to such resources, and how sensitive information remains isolated or properly secured within the appropriate boundaries.

Often one of the largest mistakes organizations make is that they implement an IPS device or a multifunctional device in only one part of their network, often the most pertinent area of the network, but leave other areas of the network exposed and do not take any of the same precautions in other areas of the network or network locations. A site with several VPN or WAN locations without any site-to-site restrictions can lead to a compromise rendering the investment of IDS in one area inadequate and/or too late in detecting when an intrusion occurred. In some cases, isolating the issue and determining where the first intrusion occurred becomes difficult.

posted January 15, 2007

Gartner has been predicting the death of IDS for a while.

See http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci905961,00.html
and http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss81_art203,00.html

As an infosec professional, I agree, but I also know that enterprises are cutting security spending; not increasing it so I don't know how realistic this is.

Would a single device that does everything work? Then why not put everything on the router itself?

There is always value in having a device thats sitting out-of-band analyzing the traffic (an IDS) vs an in-line device like a firewall or IPS that will either fail open and let the bad traffic in, or fail closed (and stop the legit data) when there is overwhelming traffic.

So no, we are not seeing this trend, and actually recommending against it.

Javed
javed@zsquad.com

posted January 15, 2007

I agree with Gartner on the limitations, there's really not much an IDS supplies on a day to day basis.

Perhaps the primary benefit of an IDS is actually a historical archive of your network traffic flows over a period of weeks or months so you can review to see "What happened last thursday that was different to the thursday before" so you can try and track down problems, but it still needs human understanding looking at the data.

posted January 15, 2007

Gartner’s response is a very usual one for an analyst who reads the specifications of the products and then comes with "research" conclusion.

Well, the reality on the hands-on world is different. If you start shopping today, you will not be able to find an IDS/IPS product effective over 5Gbps. (I should say even 2Gbps the real full duplex gigabit pipe is very difficult with mixed traffic type).

Today enterprise deployments move firewall systems closer to the core, next to the server farms. We are looking at multiple aggregated gigabit channels to enforce information security policies. Firewalls by nature look at the headers of the packets, and if they detect a pattern they simply allow traffic, this accelerates the traffic. On the other hand application level firewalls and IDS/IPS systems need to look at the full payload of the traffic, they need to understand the application and detect threats, and this process is slow. Did you ever see an application in the middle of the core routers? If Gartner is right it will be Gartner’s firewalls.

If everybody enables IDS/IPS features on firewalls, they would be either investing 10 fold in infrastructure or they would be slowing their network severely. Dedicated IDS/IPS systems are designed to handle full packet analysis fast, firewalls aren’t. I am working with almost all of the major firewall vendors and if the production environment is mission critical we always recommend dedicated/best of breed IDS/IPS solutions. On the other hand, if you are looking at a T1/E1 internet pipe, the whole picture changes, it makes sense to use an integrated appliance, not just the firewall and the IDS maybe URL filtering, AV, QOS etc in a single device. This category is called unified threat management (UTM) and there are several vendors on this space.

There is another argument in the architectural design of firewalls and IPS systems. Firewall are the security gateways, they are designed to fail-close upon failure/overload, IPS systems on the other hand are not the security guards, they are the intrusion alarms, they are usually deployed in a fail-open design unless a heavy investment is done in IPS high-availability. Mixing these 2 approaches on a single platform may require revamping of operational procedures.

Last but not the least, ask Check Point about the NFR acquisition, or ask Nokia why there is a different IPSO platform for Sourcefire, or ask Juniper why there is a dedicated blade for IPS, or ask Cisco why their ASA box cannot run full mode with IPS features, or check with Cisco on how many IPS blades you need on 6509 to secure 8 gigabit ports, or check with Fortinet about IPS enabled performance numbers, or listen to the sad story of why Microsoft does not have the IPS features on ISA :)

posted January 16, 2007

Hi Michal,

Yes, Gartner has been predicting the death of IDS technology for a while now. Well, maybe multi-purpose network boxes including Firewall (FW), IDS, IPS, VPN and more functionality will become prevalent over IDS-only boxes, as they seem to forecast, we'll see, but even if that's the case IDS functionality will still need to be there and it will still need to be managed by humans, so I wouldn't consider it the end of IDS or even a fundamental change.

In terms of "adding an additional layer of security", IMHO the functionality certainly does increase security and having independent IDS boxes instead of integrated ones also adds some extra protection: if an attacker gains control of a FW and you have independent IDS systems you may detect his activities but if you have a FW-IDS combined box and an attacker takes over it you've lost both functionalities (FW and IDS) at once. Now, is that risk important enough to go for the independent solution? The answer should be given by a proper risk analysis and it will vary for different organizations or different environments inside an organization.

And of course there is also the performance issue: will the combined box be able to cope with your network traffic in a timely manner with all the tasks assigned to it? That will depend on the traffic volume, on the rules configured, on the quality of the hardware, etc. (for high volume traffic even high end dedicated boxes have difficulties).

In summary, I think IDS functionality is far from dead and IDS-only systems will still have a place in the market for a few years more at the very least.

Cheers,
David.

posted January 16, 2007

I totally disagree with this.

For one; an IPS has only to states, and the way it works has to reflect this. It either HAS to do a block, or it HAS to let the traffic pass. An IPS can't have false positives - and it has only a minimal amount of time to actually make this decision.

What does this mean? Well, for one it can't do deep analyzes, run the traffic in sandbox's or compilers. It can't do back-end inspection and it can't change its action.

An IDS on the other hand, is the smart and slow brother. And it's not even a brother....we're talking to very different ways of analyzing the traffic and making a decision here. It can run the traffic through protocol analyzers, do back-end compilation and run copies of files through debugging to check for buffer overflows - even if its not a known vulnerability.

This makes the IPS very good at removing every known exploit out there, and the IDS can analyze the rest for a more forensics approach to everything.

Failing to see this, and taking advantages of this potential can be the trigger that makes a security department in a company fail to protect the custom applications that their company offers. Since they'll only see and stop the commonly known attacks - and not the ones that are custom made for them.

If you teach (make your own filters) your IDS to recognize your companies application traffic, it can help you in both seeing people probing your application for weaknesses and launching attacks towards it. And it can also become a very thorough debugging tool if your applications has any problems.

No IPS or Firewall vendor are even close to making any product that is even close to being the swiss army knife that the IDS can be.

posted January 16, 2007

Well, it depends. I can see scenarios where IDS or even IPS is a waste of money and does not reduce any key risks for the organization. And I think risk reduction is the bottom line in any security spending.

Typically failure cases involve SME class organizations who think IDS/IPS is just one of those security things you "absolutely must have" to be secure. However, they do not have the personnell/money to tweak the system to their environment or actually utilize the IDS/IPS information to any degree.

That was my take from the organizational perspective. From the technical perspective there have been a few good points already, especially from the performance point of view.

posted January 18, 2007

I guess its time to repeat my mantra "Security is not a product." You cannot buy security because you cannot be secure. All you can do is effectively assess and manage risk.

What does an IDS provide if you don't understand the value and location of your business assets both from the business's perspective and the criminals perspective? Hint: Just because you don't see the value doesn't mean your competitor or the scam artist doesn't.

What does an IDS provide if you don't know all the paths to those assets and the strength of the controls in place to protect them? The door is locked but the window is open syndrome.

What does the IDS provide if no one knows what is normal and what isn't. I am still amazed when server owners want me to review their logs for "Bad stuff" If the owner doesn't know what is normal how do you expect me to?

What does the IDS provide if no one is looking at it? The IDS is a tool. Tools are used by professionals. Why get one without the other?

What does the IDS provide if its in the wrong place? This comes back to understanding ALL the paths to your assets.

What does the IDS provide if your security initiatives are a list of products? Unless dedicated professionals are there helping to identify, assess, and help manage your risks then all your IDS will tell you is how much money is walking out the door in lost opportunities.

posted January 18, 2007

As Swenson pointed out above, after the experiences I have had I would focus more on a SEM system such as MARS, or if budget allows, ArcSight. There are other vendors offering this functionality, a bit of googling will give you some names.

At the same time, I would make sure that there are human resources to process and answer security incidents, who will be ultimately responsible for the quality of the security surveillance infrastructure.

Once all this is in place, you are ready to send to your SOC alarms generated by new sources, such as IDS.

Without forgetting the key role that a Configuration Management tool could play, by integrating asset information with alarms generated for those assets.

All in all, I would say that the current security picture is not about the number of elements you put inside, but about how you integrate them, and subsequently how meaningful is the information that you can extract out of it.

Cheers,
Jose

posted January 20, 2007

Here's the key insight you need to make it all work:

An "intrusion prevention system" IS a firewall.

It's just a device that makes a decision as to whether to permit network traffic based on a defined security policy. The parameters in the policy might specify conditions the packet must match anywhere in the stack -- IP address, TCP or UDP port, application content, whatever.

Claiming that one is a failure and the other success misses the point -- these sorts of things MUST come together. It's their nature.

I'd also point out that, from a control perspective, detective and preventive controls are distinct and have their own uses. If you're hoping that a detective control like an IDS will provide some preventive benefit, you haven't understood the technology and its real purpose in life. In fact, when clients make this claim, I look a little more closely at their overall architecture than before because it indicates they're don't comprehend the fundamental building blocks needed to secure their environments.

posted January 21, 2007