Which IPS is "The Best"? - SANS Internet Storm Center

Which IPS is "The Best"?
I recently had the privilege of advising on a SANS Gold Paper (GCIA) for Michael Dyrmose, titled "Beating the IPS" ( http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137 ). In the paper, Micheal uses basic IPS evasion techniques to test the capabilities of many of the "major vendor" IPS Systems. To be as fair as possible, Michael targeted the MS08-067 vulnerability, the security flaw that Conficker took advantage of - every IPS on the planet should be able to handle that, right? The verdict? If you are running a penetration test (and so have permission), once you realize that there's an IPS in play, evading it is as simple as trying. Without exception, if the first evasion method didn't succeed, the second method did. And remember, this is against one of the most well-known vulnerabilities there is. What this illustrates is that IPS systems give you decent protection against scripted/automated attacks. Against a determined, knowledgable attacker who has the time and resources, on a good day what an IPS system does is buy you time. Time to shore up your defences, perhaps "shun" or otherwise ACL the attackers address (if they're coming from a single IP), or to deploy additional defences or countermeasures - your IPS does not (or rather, should not) stand alone as a single defence mechanism against all attacks. To that end, I'm really looking forward to John Strand's Offensive Countermeasures class at SANSFIRE this year! So, which IPS is the best? The one you spend the time configuring and tuning for your environment. The one you are monitoring, so that you know that you are under a targetted attack. If you've configured and are monitoring an IPS, it's now an application that you know well, and can manipulate as conditions and attacks change. What does this imply? That there is an ongoing time commitment to maintaining and monitoring the IPS. Too many times I see organizations install an IPS as a "tick-box" in their audit requirements, a one time capital expendiature with no ongoing time commitment. I try to get folks to see that they should budget at least a few weeks to get everything "just so", then 4-8 (or more) days per month forever, even for a simple IPS. For a more complex environment, it might be a full person-year, or a full team required for ongoing care and feeding of the IPS and other associated protections in front of your digital "crown jewels" What I'd be really interested in is how you see those time estimates? If you have an IPS infrastructure, how much time per week do you commit to it? If that's not enough time, how much time do you thing would be more appropriate? Please take our survey here - http://www.surveymonkey.com/s/HD65GQC. I'll summarize the results and post them in a couple of weeks. For a personal preference on which IPS I'd prefer, you'll need to contact me off list (hopefully over beverages), but if we've met you likely don't need to ask! You can find more quality papers like this one in the SANS Reading Room == > http://www.sans.org/reading_room/ =============== Rob VandenBrink Metafore	Rob VandenBrink 577 Posts ISC Handler Mar 27th 2013
Thread locked Subscribe	Mar 27th 2013 9 years ago
For Cisco's IPS, just for "maintenance" activities, not analysis activities, I estimate you need at least 1 FTE in a medium service provider environment. Most acquaintances I know, and users I have met in training, do not run it in-line in IPS mode. For many good reasons. Do not get me wrong, there have been significant improvements and additions made with signatures over recent years, I am not bashing this product. You just have to deal with its strengths and weaknesses, and pure, life-cycle maintenance FTE's are needed to ensure you have minimal problems with service interruption if you decide to run it as an in-line IPS.	Patrick 2 Posts
Quote	Mar 27th 2013 9 years ago
While I applaud the author for the thorough evaluation of evading techniques, it would be more helpful to understand if he had listed the Operating System and Filter versions of each product that was evaluated. Also using more â€œrecentâ€ appliance would have been better, as at least two of the products, Checkpoint and Tipping Point, are officially End of Life.	Patrick 1 Posts
Quote	Mar 28th 2013 9 years ago
As a Cyber Security student at St. John's I have been looking at predominantly free IDPS systems to defend my network. The most straightforward system I found is EasyIDS. I also looked at AlienVault's OSSIM. In terms of evading, checkout Evader. http://evader.stonesoft.com/	MasterFU410 2 Posts
Quote	Mar 28th 2013 9 years ago
I forgot to mention Security Onion and Network Security Toolkit	MasterFU410 2 Posts
Quote	Mar 28th 2013 9 years ago

I recently had the privilege of advising on a SANS Gold Paper (GCIA) for Michael Dyrmose, titled "Beating the IPS" ( http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137 ). In the paper, Micheal uses basic IPS evasion techniques to test the capabilities of many of the "major vendor" IPS Systems. To be as fair as possible, Michael targeted the MS08-067 vulnerability, the security flaw that Conficker took advantage of - every IPS on the planet should be able to handle that, right?

The verdict? If you are running a penetration test (and so have permission), once you realize that there's an IPS in play, evading it is as simple as trying. Without exception, if the first evasion method didn't succeed, the second method did. And remember, this is against one of the most well-known vulnerabilities there is.

What this illustrates is that IPS systems give you decent protection against scripted/automated attacks. Against a determined, knowledgable attacker who has the time and resources, on a good day what an IPS system does is buy you time. Time to shore up your defences, perhaps "shun" or otherwise ACL the attackers address (if they're coming from a single IP), or to deploy additional defences or countermeasures - your IPS does not (or rather, should not) stand alone as a single defence mechanism against all attacks. To that end, I'm really looking forward to John Strand's Offensive Countermeasures class at SANSFIRE this year!

So, which IPS is the best? The one you spend the time configuring and tuning for your environment. The one you are monitoring, so that you know that you are under a targetted attack. If you've configured and are monitoring an IPS, it's now an application that you know well, and can manipulate as conditions and attacks change.

What does this imply? That there is an ongoing time commitment to maintaining and monitoring the IPS. Too many times I see organizations install an IPS as a "tick-box" in their audit requirements, a one time capital expendiature with no ongoing time commitment. I try to get folks to see that they should budget at least a few weeks to get everything "just so", then 4-8 (or more) days per month forever, even for a simple IPS. For a more complex environment, it might be a full person-year, or a full team required for ongoing care and feeding of the IPS and other associated protections in front of your digital "crown jewels"

What I'd be really interested in is how you see those time estimates? If you have an IPS infrastructure, how much time per week do you commit to it? If that's not enough time, how much time do you thing would be more appropriate? Please take our survey here - http://www.surveymonkey.com/s/HD65GQC. I'll summarize the results and post them in a couple of weeks.

For a personal preference on which IPS I'd prefer, you'll need to contact me off list (hopefully over beverages), but if we've met you likely don't need to ask!

You can find more quality papers like this one in the SANS Reading Room == > http://www.sans.org/reading_room/

===============
Rob VandenBrink
Metafore

Rob VandenBrink

577 Posts
ISC Handler

Mar 27th 2013

For Cisco's IPS, just for "maintenance" activities, not analysis activities, I estimate you need at least 1 FTE in a medium service provider environment. Most acquaintances I know, and users I have met in training, do not run it in-line in IPS mode. For many good reasons. Do not get me wrong, there have been significant improvements and additions made with signatures over recent years, I am not bashing this product. You just have to deal with its strengths and weaknesses, and pure, life-cycle maintenance FTE's are needed to ensure you have minimal problems with service interruption if you decide to run it as an in-line IPS.

Patrick

2 Posts

While I applaud the author for the thorough evaluation of evading techniques, it would be more helpful to understand if he had listed the Operating System and Filter versions of each product that was evaluated. Also using more â€œrecentâ€ appliance would have been better, as at least two of the products, Checkpoint and Tipping Point, are officially End of Life.

Patrick
1 Posts

As a Cyber Security student at St. John's I have been looking at predominantly free IDPS systems to defend my network. The most straightforward system I found is EasyIDS. I also looked at AlienVault's OSSIM.

In terms of evading, checkout Evader. http://evader.stonesoft.com/

MasterFU410

2 Posts

I forgot to mention Security Onion and Network Security Toolkit

MasterFU410

2 Posts