recommendations regarding IPS

• Previous message (by thread): recommendations regarding IPS
• Next message (by thread): recommendations regarding IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 31 Mar 2006 16:16:29 +0200, "Hegger, Stefan" said:

> We have a 2 Gbps connection with about about 200kpps in- and outgoing
> traffic, and I don't want to pipe the traffic through software, fpgas
> are ok.
> Our problems are DDoS and we want to have a stateful packet inspection.

What actual *problem* are you trying to solve by installing an IPS?  Note
that simple traffic graphs are usually enough to spot a DDoS - and if the
attacker is clever enough, the packets will *look* sane enough to pass the
IPS's muster and not be flagged.

Remember that in most cases, a packet flagged by an IPS falls into one of
several categories:

1) False positive.  You just nuked a legitimate connection. Whoops.

2) A packet that wouldn't have done anything anyhow because you've already patched
the vulnerability.  Who cares?

3) The very rare packet that exploits a vulnerability you haven't been able
to harden the target against yet.  At this point, the IPS is being used as
a crutch to cover up the fact you haven't hardened the target box (and yes,
I'm fully aware of "but its runnning MobyFooBar that isn't certified on any
release of the OS later than 1997" issues... doesn't change the fact that
you haven't hardened the box, does it? ;)

4) A very important class of packets that the IPS does *NOT* alert on is
the one it doesn't match to a vulnerability template, either because it's
a 0-day you don't have a template for, or because the source of the packet
is inside your border (got any wireless? Anyplace a user connects a laptop?
Any machines that might have gotten whacked with spyware or other malware,
opening up an *outbound* connection that your IPS will likely pass as OK?)

And don't forget that the IPS is Yet Another Log To Read.  Unless you're also
hiring more manpower to feed the beast and clean up after it, it's worse than
useless, as it's taking away from all the OTHER things you're already doing.

And of course, getting one to do anything reasonable about "malicious traffic
FOO carried over SSL/443" is a major technical challenge - which is why you're
likely to see malicious traffic buried under the SSL.. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20060331/b7c84960/attachment.sig>

• Previous message (by thread): recommendations regarding IPS
• Next message (by thread): recommendations regarding IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]