IDS and IPS systems and their effectiveness on reppelling penetration tests
I argue that IDS and IPS system by default are of little use as protection from targeted, focused, penetration attempts. While some of these systems provides the means of doing so, the lack processes, routines, a human mind, eyes and actions cripples them.
Here’s an interview that highlights these systems inability to do just that. From the interview,
In the majority of cases, they [read: IDS/IPS] just don’t end up doing what they were purchased for. An easy test that most fail is with basic port scans (that almost all are configured to pick up). We assume most are picking up “loud� scans (really fast and obvious scans with no attempt to be sneaky about what we are doing), but few people are pulling us up on this. (Keep in mind, with a majority of our tests, we recommend that clients don’t tell the operations team responsible for monitoring these devices that we are going to test – thereby, we also test the response effectiveness).
Validation and feedback is one of the pillars of security. It’s the only way that these solutions provide security assurance - they don’t do that right out of the box.
This is also spot on
An IPS only forces the attacker to know their exploits better, and take things slower. For instance, an IPS may drop all packets that have NOP sleds in them (0×909090 etc) which is used in a lot of (kind of sloppy) buffer overflows. It is however possible for an attacker to stop the IPS from seeing this.
What fails here, as well as in the earlier port-scan example, is the lack of response. Any alert or action that comes from a targeted penetration attempt should be followed by watchlisting relevant IPs and looking for further signs and attempts, possibly looking at capturing flow and full content data and other types of logs etc. Blocking shouldn’t be limited to the specific session that holds the exploit, but more importantly any following traffic. That will make the assessor work for their money.
16. November 2007 at 00:02
[…] to yesterdays post entitled IDS and IPS systems and their effectiveness on reppelling penetration tests, Network World recently conducted a review of the prevention-ratio from of IPS:s whom are a part of […]
22. November 2007 at 00:52
[…] The failure to combat these is why some argue that DLP solutions are limited to preventing mistakes, rather than intentional leaks. I suppose issues with credit-card and identity theft is driving companies in investing in these solutions, and the belief that these systems will act as another layer when their intrusion prevention systems fails on them. […]
17. December 2007 at 23:31
[…] This kind of threat centric approach is what most Intrusion Prevention technologies lack. Common IPS:s functions as authentication systems without the threat centric part; They block individual attacks but passively lets the intruder keep trying until he crafts an exploit that slips through. Good examples are solutions that correlates alerts with vulnerability information of the target (which ISS does) in order to decide what to block. They forget to question whether the activity itself is acceptable. Just because the webserver runs Apache, all attempts at exploiting it as an IIS is ok? Or just because that perticular vulnerability isn’t present in this version of Apache, the activity is ok? This kind of thinking is, for example, what causes IPS implementation to fail at repelling penetration tests. […]