The idea of IPS is to largely minimizing the Network Security Monitoring aspect and the bloated payrolls for those CISSP (and sorry, GAIC GCIA) guys.
Blocking would-be successful attack is the paramount goal of a basic first-generation IPS. An admin won't even get paged for these events (and along a whole lot of other false-alarm and much less false-positive events, but in the rare case that they are feeling idle, they can even turn that pager-feature on). Why bothered, IPS did its job.
TPTI does capture packets of events in libpcap v2.4 format. Pick it up the PCAP file with your web browser.
TPTI assertion is that when you drop positively-identified sessions, there is no need to fill up your alarm tables with worthless glaringly eye-candies on the monitoring screen (but they will log it nonetheless and the log table listings are mouse-click multi-key sortable at all/any table columns.)
Knock on the door? Who cares, ignore it. Paranoid of your rattling doorknobs? Subsequentially drop them from the specific source indefinitely. Port-scan? Want to block them? Go right ahead. Only for a couple of hours, sure. Ignores those ISS and BlackIce's AOL Instant Messaging's frequent false alarm of FTP port-scanning, yep.
My assertion is no one needs IDS and their full datacenter-sized staff monitoring anymore. Start dropping those attack sessions. Prevent it from ever happening in the first place.
No more support calls to your IDS. No more frequent IDS field support technician visiting your plants.
You should only get REAL ATTACK alert. Not the "I Dunno, Sir (IDS)" nor "I think this may or may not be an attack" alarm event.
No wonder, IDS industry are being transplanted by IPS.
To those expert Intrusion Analysts (particularly those with GAIC GCIA certifications), it is possible to attain near-zero false-positives.
One CTO at a well-know Maryland-based HIDS company stated to me personally that it is impossible to attain 0% false-positives. I agreed totally on this point BUT...
Would the customer settled for something like one minus dot 9 nines? (0.0000001%)?
Bammkkkk said:
The vendor noticing the agnst in his customer's voice replies with "we are working on ways to reduce 'false-positives' and in the future we will use IPS technology to prevent attacks too." and thus the birth of "IDS is Dead"
TPTI (and many other IPS and IDS) is restraining themselves from stating 0% false positives because it is tantamount to false advertising. But this would be purty darn good, wouldn't it?
Now, TPTI (IPS) customers aren't complaining on this issues at all, AFAICT. I wonder why IDS customers are still complaining?
I've got one possible answer... It must be a Trade Secret.
IDS and FW has already tied for 2004 Darwinism Award for not applying the Moore's Law consistently toward themselves. They simply fell off the chart and has not been able to hold a lighted candle toward IPS.
TPTI cooked and delivered IPS in 2001-2002. (You say IDS vendors gathered in just in 2003, sheesh... no wonder, its a response to the surprise evolutionary newcomer, IPS)
IDS and Layer 4-7 Firewall deftly merged together along with many more HW-based analysis algorithms to become a true inline IPS (or more correctly, NIPS).
Layer 4-7 firewall has its limitation with how many content filters such a firewall could do before it becomes CPU-bound. Small-scale HW-bound FW (i.e., Netscreen) tends to overheat (and thus may probably demand cooling fans, and maybe later cryogenic cooling?) when you start piling up memories to hold more than a couple hundred unanchored/floating content search patterns. (Hence, our "1000-watt" hardware problem.) TPTI handles at least an advertised 1800 working filters (but their signature database and hardware capacity is far much bigger and my TPTI employment NDA requires that this be left unstated).
One of many IDSes' limitation was with lack of multiple state tracking algorithms, particularly the multi-layer state tracking tables (i.e., cookie state over HTTP state over 5-tuple state). Try doing that at 5 Gigabits per seconds.
So, fork or no fork, no marketing angle was needed to tout IPS. It was evolutionary and natural.
As to your assertion that IPS failed? Recheck various conferences on this (RSA, MilCom...). IPS is off to a roaring start since 2001 and doubling each year.
Just an appropriate application and merger of new technologies justified such a new moniker: Prevention as in Intrusion Prevention System.
Let me rephase my first post's statement:
IDS/FW is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.
Come to think of this, the famed CISSP certification is worthless with regard toward this new IPS arena...
Even the SANS GAIC GCIA (Intrusion Analyst) certification is try to evolve to meet this new IPS technology, but until TPTI releases the ability to let end-user customized filters, the certification would be essentially worthless. Just too many IPS technological-curves for the ordinary IA guys to keep up. Really!
It is tantamount to handing the wheel to a Formula 500 car over to a 15 1/2 year old testosterone-laden lad without supervision. This isn't your grandfather's car anymore.
Its a whole new whole world of Intrusion Analysis out there.
How come TPTI doesn't generate false positives (never once did I see one during my Petabit testing tenure there and that is a fact; but the real mask behind the truth is I was testing for solid leads filter, not shaky vacuous filters that TPTI customer still wants, but these shaky filters are not of real values that predominately plague SNORT).
Locking down Network Resources with a sledgehammer is not the answer, controlling them with a surgeon's knife is.
With the IDS technology lagging today, several IPS vendors stepped in with several technological enhancement toward IDS.
But the key issue confronting the IDS industry today is the lack of functional cohesion (or double-speak for functional capabilities working together).
Some of the basic building blocks of network-based inline IPS feature set that is needed to work together perfectly are:
1. Host-OS-based anomaly decision. Both passive and active scan are recommended to be default on.
2. Deep high-speed REGEX support. Some REGEX chip market didn't materialized as robustly as they should (SafeNet/Raqia)
3. Large-scale TCP connection tracking. This has to work at high-speed as well. Goes to protect against DoS, unwarranted connections and terminations of a pattern-hits' connection.
4. Anchored, unanchored and floating pattern match hardware-assist are needed to work together to cover the variety of algorithms set forth today. This would be a current "1000-watt" hardware issue.
5. Basic issue of quick sub-millisecond table update of content-search memory remains undauntedly elusive. Most H/W content-search engine requires intensive compilation of fancy tr[e|i]e algorithms floating around.
How about weaning yourself of SNORT and start coalescing these incoherent IDS functional cohesions into an IPS?
IPS is a new technological way of filtering traffic over the simple brain-dead IDS method.
You need to visit many of Tippingpoint's
white papers
to get the grift. (registration req. Just fake your email... I know, this is not an official endorsement, but I used to write IPS filters for them and my working real world experience shows that this IPS filter is more effective than any of Snort's filter.)
I would love to write more IPS variant-resistant filters for SNORT but I'm afraid to tread on TPTI's handiwork (much less if I step on the same filter). Nonetheless, the defense industry picked me up. Go figure.
IDS is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.
In ST:Generations, the saucer seperation occurred and demonstrated a mild-powered explosion-induced glided (or should I say firely) though Veridian III atmosphere.
Also, in ST:Voyager Episode 201 shows Voyager crash landing on an ice planet.
In ST:Voyager #192 (Demon), shows a graceful landing on a demon planet.
The primary reason for DomainKeys HUGE advantage over SPF is prevent Spammer from fishing for a valid username (for more spamming).
With the SPF, spammer (and other evil deities) can perform trial and error DNS (starting with a basic dictionary then rolling odometer attack) for a successful username with brute-force.
With DomainKeys, you must compute the SHA1-MD5 and even then, you may or may not get a valid username.
I prefer SPF as a short-term protection whereas DomainKeys is the more correct solution.
Anyone who has used it in the last three weeks knows that claim to be false."
Need I say that anti-spam applications, networked printers, mail forwarders and mobile IP users were hung because of these highly-modified genetic root servers?
Should I point out that Mae-West traffic actually shot up because spammers were having a wonderful and rare day for unfeterred spamming?
The burden of proof is to maintain a working SMTP mail server that properly stamps each and every email with the various SMTP headers that includes the following information:
1. Sender's IP address (critical!) 2. Sender's reverse DNS name (time perspective) 3. Sender's SMTP EHLO (useful if syntaxically-enforced) 4. Sender's purported "From:" (helps to state sender's intent; "Am I forging or not?")
These information should be readily available and stamped each and every time the email is received by the mail server.
With these information, it goes to proved that the email is really SPAM or not.
(Me? I always validate the "From:" against the sender's IP and drop them if they don't match via reverse DNS. Never mind the roving laptops and web mail portals, they should use Mobile-IPv6).
Oh, the way I see it is for some anonymous anti-terrorist related tracking government agency to track for some kind of a needle in the haystack.
What better way to do this than to capture all of the mistyped domain names. Or thoses that are running their own Root DNS servers and catching those that forget to enter in the correct root servers address?
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Enhance Linux Operating System with BOSS
on
Secure Programming
·
· Score: 2, Informative
IEEE Standards Associate, IEEE Information Assurance, IEEE Computer Society and IEEE Baseline Operating System Specification Working Group (BOSSWG) has initiated a call for definitions of a new operating systems intended to securely control nearly all aspect of the operating system (including root).
Kinda sounds like Common Criteria, doesn't it; hopefully better.
Slashdot Mirror
The idea of IPS is to largely minimizing the Network Security Monitoring aspect and the bloated payrolls for those CISSP (and sorry, GAIC GCIA) guys.
Blocking would-be successful attack is the paramount goal of a basic first-generation IPS. An admin won't even get paged for these events (and along a whole lot of other false-alarm and much less false-positive events, but in the rare case that they are feeling idle, they can even turn that pager-feature on). Why bothered, IPS did its job.
TPTI does capture packets of events in libpcap v2.4 format. Pick it up the PCAP file with your web browser.
TPTI assertion is that when you drop positively-identified sessions, there is no need to fill up your alarm tables with worthless glaringly eye-candies on the monitoring screen (but they will log it nonetheless and the log table listings are mouse-click multi-key sortable at all/any table columns.)
Knock on the door? Who cares, ignore it. Paranoid of your rattling doorknobs? Subsequentially drop them from the specific source indefinitely. Port-scan? Want to block them? Go right ahead. Only for a couple of hours, sure. Ignores those ISS and BlackIce's AOL Instant Messaging's frequent false alarm of FTP port-scanning, yep.
My assertion is no one needs IDS and their full datacenter-sized staff monitoring anymore. Start dropping those attack sessions. Prevent it from ever happening in the first place.
No more support calls to your IDS. No more frequent IDS field support technician visiting your plants.
You should only get REAL ATTACK alert. Not the "I Dunno, Sir (IDS)" nor "I think this may or may not be an attack" alarm event.
No wonder, IDS industry are being transplanted by IPS.
One CTO at a well-know Maryland-based HIDS company stated to me personally that it is impossible to attain 0% false-positives. I agreed totally on this point BUT...
Would the customer settled for something like one minus dot 9 nines? (0.0000001%)?
Bammkkkk said:
TPTI (and many other IPS and IDS) is restraining themselves from stating 0% false positives because it is tantamount to false advertising. But this would be purty darn good, wouldn't it?
Now, TPTI (IPS) customers aren't complaining on this issues at all, AFAICT. I wonder why IDS customers are still complaining?
I've got one possible answer... It must be a Trade Secret.
Bammkkkk,
IDS and FW has already tied for 2004 Darwinism Award for not applying the Moore's Law consistently toward themselves. They simply fell off the chart and has not been able to hold a lighted candle toward IPS.
TPTI cooked and delivered IPS in 2001-2002. (You say IDS vendors gathered in just in 2003, sheesh... no wonder, its a response to the surprise evolutionary newcomer, IPS)
IDS and Layer 4-7 Firewall deftly merged together along with many more HW-based analysis algorithms to become a true inline IPS (or more correctly, NIPS).
Layer 4-7 firewall has its limitation with how many content filters such a firewall could do before it becomes CPU-bound. Small-scale HW-bound FW (i.e., Netscreen) tends to overheat (and thus may probably demand cooling fans, and maybe later cryogenic cooling?) when you start piling up memories to hold more than a couple hundred unanchored/floating content search patterns. (Hence, our "1000-watt" hardware problem.) TPTI handles at least an advertised 1800 working filters (but their signature database and hardware capacity is far much bigger and my TPTI employment NDA requires that this be left unstated).
One of many IDSes' limitation was with lack of multiple state tracking algorithms, particularly the multi-layer state tracking tables (i.e., cookie state over HTTP state over 5-tuple state). Try doing that at 5 Gigabits per seconds.
So, fork or no fork, no marketing angle was needed to tout IPS. It was evolutionary and natural.
As to your assertion that IPS failed? Recheck various conferences on this (RSA, MilCom...). IPS is off to a roaring start since 2001 and doubling each year.
Just an appropriate application and merger of new technologies justified such a new moniker: Prevention as in Intrusion Prevention System.
Let me rephase my first post's statement:
IDS/FW is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.
Even the SANS GAIC GCIA (Intrusion Analyst) certification is try to evolve to meet this new IPS technology, but until TPTI releases the ability to let end-user customized filters, the certification would be essentially worthless. Just too many IPS technological-curves for the ordinary IA guys to keep up. Really!
It is tantamount to handing the wheel to a Formula 500 car over to a 15 1/2 year old testosterone-laden lad without supervision. This isn't your grandfather's car anymore. Its a whole new whole world of Intrusion Analysis out there.
Tee-hee.
Forget Gartner's glibs.
How come TPTI doesn't generate false positives (never once did I see one during my Petabit testing tenure there and that is a fact; but the real mask behind the truth is I was testing for solid leads filter, not shaky vacuous filters that TPTI customer still wants, but these shaky filters are not of real values that predominately plague SNORT).
Locking down Network Resources with a sledgehammer is not the answer, controlling them with a surgeon's knife is.
Apparently, they have something working right.
With the IDS technology lagging today, several IPS vendors stepped in with several technological enhancement toward IDS.
But the key issue confronting the IDS industry today is the lack of functional cohesion (or double-speak for functional capabilities working together).
Some of the basic building blocks of network-based inline IPS feature set that is needed to work together perfectly are:
1. Host-OS-based anomaly decision. Both passive and active scan are recommended to be default on.
2. Deep high-speed REGEX support. Some REGEX chip market didn't materialized as robustly as they should (SafeNet/Raqia)
3. Large-scale TCP connection tracking. This has to work at high-speed as well. Goes to protect against DoS, unwarranted connections and terminations of a pattern-hits' connection.
4. Anchored, unanchored and floating pattern match hardware-assist are needed to work together to cover the variety of algorithms set forth today. This would be a current "1000-watt" hardware issue.
5. Basic issue of quick sub-millisecond table update of content-search memory remains undauntedly elusive. Most H/W content-search engine requires intensive compilation of fancy tr[e|i]e algorithms floating around.
How about weaning yourself of SNORT and start coalescing these incoherent IDS functional cohesions into an IPS?
Oooh. Someone (prol'y from the IDS industry) has to be rather sore to hear the word "IDS is dead."
Cheap shot to modding me down.
For the uninitiated, IPS stands for Intrusion Prevention System. What's the main difference?
#1) IDS doesn't block bad traffic. IPS does. #2) IPS handles anomaly variants, IDS doesn't.
IPS is a new technological way of filtering traffic over the simple brain-dead IDS method.
You need to visit many of Tippingpoint's white papers to get the grift. (registration req. Just fake your email... I know, this is not an official endorsement, but I used to write IPS filters for them and my working real world experience shows that this IPS filter is more effective than any of Snort's filter.)
I would love to write more IPS variant-resistant filters for SNORT but I'm afraid to tread on TPTI's handiwork (much less if I step on the same filter). Nonetheless, the defense industry picked me up. Go figure.
IDS is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.
In ST:Generations, the saucer seperation occurred and demonstrated a mild-powered explosion-induced glided (or should I say firely) though Veridian III atmosphere.
Also, in ST:Voyager Episode 201 shows Voyager crash landing on an ice planet.
In ST:Voyager #192 (Demon), shows a graceful landing on a demon planet.
The primary reason for DomainKeys HUGE advantage over SPF is prevent Spammer from fishing for a valid username (for more spamming).
With the SPF, spammer (and other evil deities) can perform trial and error DNS (starting with a basic dictionary then rolling odometer attack) for a successful username with brute-force.
With DomainKeys, you must compute the SHA1-MD5 and even then, you may or may not get a valid username.
I prefer SPF as a short-term protection whereas DomainKeys is the more correct solution.
I'm deaf, you insensitive clod!
An industry analyst not directly influenced by the Linux community.
Can we find any other analyst with similiar undue influences with the other O/S vendors?
The American with Disability Act governs the rights to secure hardcopy of telephone conversation through relay services.
This bill will die quicker than you can say one tap, two tap, three tap, floored!
- X10 controller
- SmartHome.Com
- web-based X10 controller
- Complete listing of X10 software
- Linux-based HomeVision
- GNU Automaton
- an established IPv6 tunnel with your own IPv6 address subnet (it's a whole new world out there)
- SMS server for your cell-phone (good with X10)
- X10 event to your SMS phone (via paging)
- Control X10 from your WAP cellphone
- Mobile IP server for your roving laptop
and as a tribute toward the fabled CMU Trojan Room Coffee webcam lore...Coffee Maker (this one needs an Java-Dispenser SNMP agent badly)
We're almost there...
You mean Microsoft needs to stop adding features like:
1. BSOD
2. Microsoft Bob
3. Clippy
4. DMCA
5. Palladium
6. Outlook Express
7. Sharepoint
Their marketing focus has too much stranglehold of their development force (or lack thereof).
And I'll show Microsoft a bigger market!
Until then, I'll stick with BSD, Solaris and Linux.
WHAT? Are you NUTS!?
It's bad enough that we have to goad the employee to wash their hands EVERY time.
Now, who is going to wash the palm readers?
This is the multiplier effect that we dont need in a food preparation setting.
Besides, how do we revoke our very own biometric if someone fudges the database to imitate anothers?
Need I say that anti-spam applications, networked printers, mail forwarders and mobile IP users were hung because of these highly-modified genetic root servers?
Should I point out that Mae-West traffic actually shot up because spammers were having a wonderful and rare day for unfeterred spamming?
He must be smoking crack...
How does getting a bigger cubicle farm works for the beleaguered PTO analysts.
I hope most everyone agrees with me but I work better in a real tight cubby hole with a stool and a glowing 21" flat CRT screen.
Bigger cubes is lower productivity.
Einstein proved it!
Kinda like Tripwire , Symantec Anti-Virus, RedHat Enterprise Linux's dymanic relocatable address to fight worms, OpenBSD StackGhost and ZoneAlarm Firewall all rolled in one.
Once implemented, we should see a dramatic change in the network security world; less IDS/IPS/IDPS business model.
The last frontier would then be the social hacking engineering prevention.
Mark Mah Words
Shoot.
How the heck am I going to determine if my kids have been:
1. speeding
2. not wearing seatbelt
3. popping air-bags
4. drifting
5. figure-eighting
6. parking off a secluded roadside
Big brother, I miss ya!
The burden of proof is to maintain a working SMTP mail server that properly stamps each and every email with the various SMTP headers that includes the following information:
1. Sender's IP address (critical!)
2. Sender's reverse DNS name (time perspective)
3. Sender's SMTP EHLO (useful if syntaxically-enforced)
4. Sender's purported "From:" (helps to state sender's intent; "Am I forging or not?")
These information should be readily available and stamped each and every time the email is received by the mail server.
With these information, it goes to proved that the email is really SPAM or not.
(Me? I always validate the "From:" against the sender's IP and drop them if they don't match via reverse DNS. Never mind the roving laptops and web mail portals, they should use Mobile-IPv6).
Oh, the way I see it is for some anonymous anti-terrorist related tracking government agency to track for some kind of a needle in the haystack.
What better way to do this than to capture all of the mistyped domain names. Or thoses that are running their own Root DNS servers and catching those that forget to enter in the correct root servers address?
My two cents worth on Verisign's boondoogle.
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
IEEE Standards Associate, IEEE Information Assurance, IEEE Computer Society and IEEE Baseline Operating System Specification Working Group (BOSSWG) has initiated a call for definitions of a new operating systems intended to securely control nearly all aspect of the operating system (including root).
Kinda sounds like Common Criteria, doesn't it; hopefully better.