Last Updated: 2013-03-27 14:18:31 UTC
by Rob VandenBrink (Version: 1)
I recently had the privilege of advising on a SANS Gold Paper (GCIA) for Michael Dyrmose, titled "Beating the IPS" ( http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137 ). In the paper, Micheal uses basic IPS evasion techniques to test the capabilities of many of the "major vendor" IPS Systems. To be as fair as possible, Michael targeted the MS08-067 vulnerability, the security flaw that Conficker took advantage of - every IPS on the planet should be able to handle that, right?
The verdict? If you are running a penetration test (and so have permission), once you realize that there's an IPS in play, evading it is as simple as trying. Without exception, if the first evasion method didn't succeed, the second method did. And remember, this is against one of the most well-known vulnerabilities there is.
What this illustrates is that IPS systems give you decent protection against scripted/automated attacks. Against a determined, knowledgable attacker who has the time and resources, on a good day what an IPS system does is buy you time. Time to shore up your defences, perhaps "shun" or otherwise ACL the attackers address (if they're coming from a single IP), or to deploy additional defences or countermeasures - your IPS does not (or rather, should not) stand alone as a single defence mechanism against all attacks. To that end, I'm really looking forward to John Strand's Offensive Countermeasures class at SANSFIRE this year!
So, which IPS is the best? The one you spend the time configuring and tuning for your environment. The one you are monitoring, so that you know that you are under a targetted attack. If you've configured and are monitoring an IPS, it's now an application that you know well, and can manipulate as conditions and attacks change.
What does this imply? That there is an ongoing time commitment to maintaining and monitoring the IPS. Too many times I see organizations install an IPS as a "tick-box" in their audit requirements, a one time capital expendiature with no ongoing time commitment. I try to get folks to see that they should budget at least a few weeks to get everything "just so", then 4-8 (or more) days per month forever, even for a simple IPS. For a more complex environment, it might be a full person-year, or a full team required for ongoing care and feeding of the IPS and other associated protections in front of your digital "crown jewels"
What I'd be really interested in is how you see those time estimates? If you have an IPS infrastructure, how much time per week do you commit to it? If that's not enough time, how much time do you thing would be more appropriate? Please take our survey here - http://www.surveymonkey.com/s/HD65GQC. I'll summarize the results and post them in a couple of weeks.
For a personal preference on which IPS I'd prefer, you'll need to contact me off list (hopefully over beverages), but if we've met you likely don't need to ask!
You can find more quality papers like this one in the SANS Reading Room == > http://www.sans.org/reading_room/