IDS vs. IPS: Which is better?

1. IDS vs. IPS: Which is better? www.SearchSecurity.com TechTarget.com Edward P Yakabovicz, CISSP

2. IDS and IPS • IDS • Passive ~ Out of band • These devices can monitor and analyze events that occur on a network or system, thus looking for intrusion attempts based on signatures or patterns. • IDS requires careful tuning to network conditions to be effective, otherwise false positives are too high to make the system useful.

3. IDS and IPS (cont.) • IPS • IPS can provide more accurate alerts. • IPS uses multi-method detection. • False Positive ~ may unnecessarily suspend a connection and therefore block legal traffic immediately. • Gartner: “This real-time response which registers attacks as legitimate events, even if those attacks have no bearing on the network, could be too disruptive to operations.” (Ratzlaff)

4. IDS and IPS (cont) • IPS can identify that an intrusion has taken place and is able to provide the intruder's IP address. Network administrators still have to investigate the attack, determine how it occurred and correct the problem. • One of the reasons against aggregating all the network security in one box is that it contradicts the "defense-in-depth" or “security-in-layers” concept, thus failure in one area could mean a failure of the entire internal network. • IPS Fine Tuning and Network Tuning is more complex than IDS. • Point: The cost of shutting down a connection due to false positives would cause more problems than it solves. IDS is the better bet.

5. InfoWorld • “In simple terms, IDS may be perfectly suited for network attack monitoring and for alerting administrators of emerging threats. But its speed, performance and passive limitations have opened the door for IPS to challenge it as the proactive defense weapon of choice.” • http://www.infoworld.com/article/03/04/04/14ips-sb_1.html, April 04, 2003

6. Gartner forecast on IDS • Gartner, Inc. released a document authored by Richard Stiennon entitled, "Intrusion Detection Is Dead - Long Live Intrusion Prevention.“ • I believe this to be wrong for the following reasons:

7. Reasons IDS still works • Product or technology life cycle methodology as been proven for years (beginning, middle, end, start over) for IPS has just begun. • COST $$$$$$ Maybe the larger corporations have the money to throw away $100,000 or more in current IDS technology, but who else can ? • IDS still provides a service. • IDS can be fine turned to work and product proper reporting. • This statement appears to show that now even Gartner has succumbed to marketing hype • (IDS v. IPS Commentary, By Gary Golomb, Posted By: Eric Lubow, 6/16/2003 9:01 )

8. Difference between IDS and other devices • The main difference between an IDS and other security devices is the fact that it's out-of-band, or passive, in nature. It passively watches all traffic looking for SIGNS of attacks, compromise or other misuse. The key benefit to being out-of-band is that you have the ability to flag traffic that looks even the slightest bit "suspicious,” while NOT being detected!

9. What about virus protection? • IPS would have to be fine tuned to block virus or malicious code attacks. Thinking down this path may lead to similar -- if not more -- false positives. IPS will shut down connections, while IDS will detect and report.

10. Looking for the Holy Grail of security • “Security professionals are constantly looking for the "holy grail" of security products. They have bought firewalls, vulnerability assessment tools and intrusion-detection systems (IDS), hoping to find the ultimate security tool. The truth is much more difficult - security is an ongoing process that involves multiple layers of protection.” • http://www.lucidsecurity.com/whitepapers.php

11. What about Code Red and IDS? • “A good intrusion-detection system (IDS) could have mitigated the attack on Client Company, but probably would not have stopped it. This type of system would have alerted system engineers at the outset of the attack, and they could have then taken proactive and reactive steps to stop the infection; however, with the speed at which Code Red spread it is hard to imagine effectively combating this worm through a hurried, manual patching process.” • http://www.lucidsecurity.com/whitepapers.php

12. What about Code Red and IPS • “Intrusion-prevention systems (IPS) that can intelligently block incoming exploits could have drastically altered the effect of Code Red at Client Company. Depending on the speed of the IPS, it could have been possible to stop the infection entirely. When used in combination with strictly controlled firewalls, standardized network policies and a good notification system, intrusion prevention engines significantly narrow the window of opportunity for crackers.” • http://www.lucidsecurity.com/whitepapers.php

13. Market Growth • Infonetics Research has predicted that the IDS market will grow 43% to $149m by this time next year. • The market watcher believes that annual IDS revenue will hit $1.1bn by 2006, a compound annual growth rate of almost one third. • Infonetics reported that the IDS/IPS market is currently experiencing disruptive technology shifts. Although growth will continue during 2003, the market will only really take off in 2004. • http://uk.news.yahoo.com/030905/175/e7mg3.html

14. Industry Statements • “This whole argument (that Gartner started with an incomplete and not real world report) is like saying that human guards will be replaced by cameras, because it is cheaper to run a camera. Course someone has to look at the output from a camera, but who's counting. Camera's are good and guards are good, but together they make for tighter security.” Steven T. Carey • http://archives.neohapsis.com/archives/sf/ids/2003-q2/0293.html

15. Industry Statements II • “If we are not careful installing and configuring IPS, we will just give attackers more tools to allow them to DoS us. Trust is quite difficult with current network infrastructure and protocols where everything can be forged... (we still use IPv4 most of the time to communicate, there are no reliable audit traces to feed even the perfect IPS).” Omar Herrera • http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ids/2003-06/0167.html

16. Industry Statements III • “That is what upsets me the most about incidents like this. Because of the long history Gartner has with industry reporting, their documents carry a lot of weight for many organizations. Although, this recent track record of negligence is disturbing to say the least.” • Gary GolombSenior Research EngineerDragon Intrusion Detection GroupEnterasys Networks

17. Conclusion • IPS may be superior, but again, the lifecycle of technology in general must be considered for it is critical. • Factors: cost, setup, tuning (more than IDS), and version 1 or 1st generation. • Industry agrees: Could have stopped Code Red and others, but will take time to implement and fully understand.

18. Questions? Submit your questions to Ed by clicking on the Ask a Question link on the lower left corner of the screen.

19. References • http://www.linuxsecurity.com/articles/forums_article-7476.html • http://www.nwc.com/1411/1411colshipley.html • http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci905961,00.html • http://www.ncs.com.sg/media/clippings_2003/apr_03/apr03_acw_ids.asp • http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ids/2003-06/0167.html • http://archives.neohapsis.com/archives/sf/ids/2003-q2/0293.html • http://www.lucidsecurity.com/whitepapers.php • http://www.infoworld.com/article/03/04/04/14ips-sb_1.html, April 04, 2003

20. Thank you Thank you for participating in this SearchSecurity.com on-demand webcast. If you have comments or suggestions for future webcasts, e-mail the editor at webcast@searchSecurity.com.