IPS is dead, long live IPS!
Where is Richard Stiennon when you need him? From what I have been reading lately, at least the media seems to have really soured on IPS. Maybe we need Richard to pronounce IPS soon to be obsolete like he did with IDS. The latest rant I have seen was on darkReading. Entitled, IDS/IPS: Too Many Holes? It asks if the P in IPS stands for porous. It seems that HD Moore (of the release an IE vulnerability a day for a month fame) and Brian Caswell are going to demonstrate at Black Hat how vulnerable certain IPS's are to application-level attacks. Since Brian as far as I know still works for Sourcefire, I assume that they won't be showing the attack bypassing a Snort/Sourcefire box. If I were a betting man, I would bet they will be working on a Tipping Point box.
In any event, the article does validate some of the things I have been saying for a while now. Like, most people really don't use IPS as IPS, but instead IDS. Next, that even those who do use IPS for some blocking, do so very sparingly against only a few rules. Why, you ask? Couple of reasons, I believe. One is that people don't trust these systems. Two is that despite the big bucks and fancy ASIC hardware, they still don't scale up to the kinds of bandwidth that is needed to do line speed inspection and blocking. Third is that signature based IPS does not catch all attacks and at the same time throws off lots of false positives. Fourth is that for the most part, behavior based IPS is just full of beans still and cannot be trusted (maybe that is why they are all becoming post-connect NAC devices). Yes there are blended IPS that can handle signature and behavior, but even those are primarily signature with limited behavior or protocol analysis.
OK now that I have completed the reasons for IPS is dead, let me get to long live IPS. The fact is that the limited capacity issue only comes into play if you are looking to plug IPS into your multi-gig core. There are plenty of solutions out there today that do a great job in sub-gig environments. Our own Strata Guard IPS among them. Of course boys like their toys, so we tend to focus on the biggest, fastest, most expensive boxes out there that are trying to handle oodles of bandwidth from multiple segments. But that is not what the bread and butter here is. Unfortunately that is exactly what Gartner focuses our attention on with the silly Magic Quadrants, so we all fall all over ourselves to make the red Ferrari. But most people need the Chevys, Fords and Toyotas. Today's better IPS (again including our own Strata Guard) have actually made great strides against false positives and are much better than they used to be. As people use the devices over time, they become more comfortable and confident in what they can and cannot do.
Top reason though for why you should use IPS, is whoever said IPS is the magic bullet. At the risk of sounding corny, what about the layered, defense-in-depth. Yes there are going to be some attacks that get by the IPS. However, it is still a vital component in a defense in depth, best practices security practice. It does not live in a vacuum and you have to do more, but it is a foundational piece of security. It may live in your UTM or even in your switch soon, but you will have IPS functionality on the network.
OK, anyone want to bet me on what IPS they will evade at Black Hat?
Comments