On Mar 2, 2009, at 11:21 AM, Stefano Zanero wrote:

> Jeremy Bennett wrote:
>
>> This is a problem with the products, not the customers. The problem
>> being that there is still too much IDS thinking inside the IPS.
>
> Funny, since an IPS is nothing more than an IDS that can drop
> traffic ;-)

This is true of the technology. My point is that too many IPS vendors
think that just because they are using IDS technology means they need
to deliver an IDS that can block.
>
>
> Yes, I'm being humorous here, but really there is not that much
> difference in the two things, except for the marketing and the
> extremely
> different defensive posture: an IDS hunts for higher detection rates
> even at the cost of some false positives, whereas IPS aim at extremely
> low false positive rates.
>
> However:
>
>> So, I *should* be able to purchase an IPS, read the manual,
>> configure it
>> according to my own risk profile, and then leave it alone. High-risk
>> activity should be blocked. Benign traffic should be let through.
>
> And then villains should be brought over to justice, and the greater
> good should prevail.

An IPS can be more than an IDS with a cape and tights, yes.
>
>
> However, getting back to the real world, doesn't work. You cannot
> configure "your risk profile" because there's no way on Earth to
> express
> that sensibly in a single clicky and yummy web interface. You can
> configure the system, activating and deactivating specific signatures,
> and - sorry - you WILL need to know damn well what you are doing.
>
> It is not just a problem with the products (and boy they are
> faulty), it
> IS a problem with the customers. A huge one.

Ah, reality, ok. Think for a minute about the problem and the tacit
assumptions that have already been made here.

By purchasing an IPS from a vendor and enabling even *some* of the
signatures for blocking I have established that I trust my vendor and
I trust the signature authors to write signatures that are good enough
to block an exploit or an attempt to exploit a vulnerability.
Today, as you say, I make the decision to enable a signature on a
signature-by-signature basis. I read the metadata in whatever form the
vendor provides it; text descriptions, risk ratings, reliability
ratings, categories, etc. Except in the cases of products like snort
where I can go read the signature myself, I'm trusting that the
metadata are correct. I'm trusting my vendor.

So, why do you consider it so far fetched that I might configure an
IPS not on a signature-by-signature basis but an application,
resource, and risk basis? Clearly, this is a VERY different experience
than current IPS configurations. In addition, it puts a LOT of trust
into the vendor's signature authors to correctly categorize and rate
their signatures based on the risk of the threat and the potential for
a false positive on that particular signature. However, as I've said,
this, trust already exists.

What's required for my version of a IPS?
1. A vendor you can trust to reliably deliver signatures and rate them
by risk and chance of false positive. (some vendors are trying this
today but they tend to suck at it in one or more of these dimensions)
2. A product UI that would allow signatures to be applied on a
resource and application basis. For example, block everything
suspicious to my web far except for web traffic. For web traffic block
anything with a very low rate of false positive and alert on anything
with a medium and log for anything with a high chance of FP. Again,
some vendors have tried this but tend to miss the overall point.
3. A process on the device to regularly download the latest signature
updates and apply them based on the configured policy. I think all
vendors have gotten some sort of automated download and signature
update process going by now. The AV vendors drove them to it.

You assert that the customer 'WILL need to know damn well what they
are doing.' I assert that if the customer knew what they were doing to
the degree that you imply they'd be writing their own snort rules.
Sourcefire has a good product based on this and it has its place in
organizations that can run it.
There are many customers that will never have that expertise. They
have no choice but to trust their vendor to have the expertise
necessary to write signatures and clearly communicate the efficacy of
those signatures. This is the bulk of the potential IPS market, those
people that want something better than a firewall but can't afford to
digest 100,000 events per day.

-J0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?t0?-0?? 
 ª:§wÔУ§Ç+i?´O}0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080929165059Z
090929165059Z0?10UBennett10
U*Jeremy10UJeremy Bennett1!0 *?H?÷


jeremy (at) deities (dot) org1 [email concealed]0 *?H?÷


jeremyfb (at) mac (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

Å]?!f¦¾ïaW??"`.oß WX#WCõ
1Äk_åàì×|
<µäTRn0?(ÕZh+8ØÓéåkï&Ëêáoõ[g稺=,Á
¶0ªAâ
XéâÎã?½A$Bj±¯d?oß?·âWO©¢ý?A?¼*a?ènӝ££°^ð?ágÝ?ÇO]]?èÖ;?NBv;<ÐÞPL\»À?
K?Pk ?67b-ltÖzÆ0¼î$ó$`)ð}?NhÓ.cZìK?¨««Wû?Ñùð­];hz??CØÎ-LQ
¦K?¼\º}ØEos«;®?g±LZ?ُ

£A0?0/U(0&jeremy (at) deities (dot) org [email concealed]jere
myfb (at) mac (dot) com0 [email concealed]U

ÿ00
 *?H?÷


`ÿp`ª6?ù8?¥z?[w*¨äáY½. Å[rF³ *º³-áþb`½/Vñ/??@¬æø-¢{=Шà¢kqf¶K´^¼b+Ç¢?zÐfÂÞ'@?üM
Ãýå?ê¤bM×/Q¬Æq?7˧º3?hj?Iá~õèøh)*à0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0?

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0 + ?
o0 *?H?÷

1 *?H?÷


0 *?H?÷

1
090302200924Z0# *?H?÷

16m*Ø_?Õ¶´£\¨¦a§Ã0? +

?71x0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0?*?H?÷

1x v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0
 *?H?÷



?
?ó}rÙW;òêL¨ãf ÈÌTQ'´ûåÛh®ª.öÍdóý(ÄÒiCcÄôôYGIsdùq?êªàõ´ý>D?h{F
 ø¾fÜ̬u?5?:ãâ,wnÏglí`3øMz?ì±;@:÷?q;z9@G_gº0¥ßß²a¸´BqÐ?
KAaß¾NUOe0?d Å=a9ª?ò òh
ìëWM2ÂÖtæ²7lqæ2Åos
.õC?T#VàëЍüø¸º?㶧?9lf
°?Ï
?(Ý?Q7 ûÝò}÷¨ÿr?_ÔóSn=L#@i¬

[ reply ]