This is cache of http://feeds.feedburner.com/~r/StillsecureAfterAllTheseYears/~3/289827054/ips---is-it-sou.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
IPS - is it soup yet? Mike Chapple says yes and no
2008-05-13 20:25:13 by HASH0x84725a8 in StillSecure, After All These Years
 

Ips_soupMike Chapple over at SearchSecurity has a good article up on whether IPS are mature enough for enterprises to deploy.  Some may say that Mike has been asleep at the wheel, because certainly there have been plenty of IPS appliances sold over the last 3 to 4 years. Mike comes to the same conclusion I did almost 2 years ago in this article. Namely that the selling and marketing of IPS has far outstripped the actual performance of these devices. As Chapple says, "While today's IPS devices can keep up with high-speed network connections and process rulebases more efficiently, I'm not sure that the technology itself has matured; in fact, it hasn't really changed much at all." 

Just as I said back then. people today are still using IPS as IDS. In spite of what Richard Stiennon said back in 2003, it is still the fact. Those that have ventured beyond pure IDS do so on a limited basis. Mike lays out three best practices that most who are successful with IPS adopt:

  1. Run the IPS in "monitor" mode until it's clear that the system is properly tuned. We have been recommending this with our Strata Guard IDS/IPS for years. In fact we have a tuning wizard which gives you a real leg up in getting started with your tuning.  In essence though this means that you start off not blocking anything,and only after seeing what is really happening on your network do you selectively start enabling blocking of specific types of attacks.  You don't just turn on every rule to block.  This advice is similar to what our best practices in NAC recommends as well.
  2. Keep the number of "block" mode rules to a small, finely tuned set. Again this is something that has been the reasonable route for a while now.  Most IPS today runs in a hybrid IDS/IPS mode. Be selective in what you want to actually block verses what you just want to alert and/or log.  Too many rules set to block will lead to failure.  Being smart about which rules are set and grouping attacks to trigger a minimum amount of rules is key.  I have seen rule sets where one kind of attack can trigger multiple signatures.  This will fire more blocks than necessary and burden your system for no reason.  Don't overlap your rule sets if you are using Snort!
  3. Consider using a fail-open device. In line devices are a single point of failure. If your IPS does not offer some sort of bypass or other fail open device, you are asking for trouble.  Also, don't settle for the sales guy telling you the software or appliance is designed to fail open. In a power failure that isn't going to help. Make sure it is a self-powered bypass to be sure.

All in all it was a good validation for me to read this article. I think IPS is at a critical mass of adoption today, I just don't think it has reached a critical mass of utilization yet.  But progress is being made.

 
Tags: ips, line devices, devices, ips appliances, ips devices, mike, rules set, rules, mike chapple
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia