Wednesday, January 31, 2007

IPS algorithms...

Comments on "Outer limits on IPS article at Dark Reading"

http://www.darkreading.com/blog.asp?blog_sectionid=403&WT.svl=blogger1_3

The author makes some good points about the limitations of IPSes. However, IPSes are not as useless as he claims. IPSes today use a variety of methods to prevent attacks. Signatures are used to block known "bad stuff". It is true the attacker can change his "bad stuff" to evade existing signatures but eventually signatures get updated and the attack is limited if not completely stopped. Meanwhile, anomaly detection is used to counter the new attacks that don't have signatures yet. There are two types of anomaly detection (actually three if you include host behavioural anomaly detection): protocol anomaly detection and network behavioral anomaly detection. The first one works quite well in blocking worms because most worms spread via buffer overflows. Checking network traffic for "too long" protocol fields and for other things like "executable code" in data fields will block most current worms.The second technique behavioural anomaly detection is useful to detect port scans (too many failed connections), password guess attempts (too many failed login attempts) etc but many vendors are using it to detect things like high bandwidth usage etc which will have too many false positives as the author correctly points out.




Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

3 comments:

Anonymous said...

Umm, not really. Most signatures in good products are vulnerability based so even if you change the attack it still gets stopped. And no IPS vendor worth their beans is relying on behavioral techniques. My 2 cents.

Mohit said...

That is right. Thanks Anonymous.

Anonymous said...

Actually, good signatures in most products are based on vulnerabilities rather than attacks. But most signatures target an attack and most variants. The signature is of course, limited by the capabilities of the IPS. If the IPS can't understand the application the attack is targetting, one has to write generic signatures. That is why even Snort has many signatures which are more attack specific. It will remain this way, till Snort can do a deeper inspection.

Z