Primary links

2000 is calling, they want their news back: "IPSs need tuning"

ORLY?Dark Reading has an new article yesterday based around a (non public, not free) report from NSS labs.  Apparently the report says that intrusion prevention systems need tuning.

I hope this isn't news for anybody who has been in infosec for more than a few years.

And if anybody is selling these devices to customers without making this clear to them, they are doing a huge disservice and should be publically beaten.

No matter what the marketing from vendors is, IDS and IPS products have to be tuned. A vendor doesn't know what's in your network. And no matter what the marketing says, those systems also take a good amount of management to review alerts and continue tuning as new traffic types arrive on your network and old ones disappear.

How about a more appropriate question - are IDS/IPS worth the effort?

This is the type of question that companies want to understand.  The answer is not simple, unfortunately.  Questions to consider include:

  • Where is the IPS in our network (the ongoing "religious question" - some want sensors listening everywhere, some just at most critical assets. There's valid reasons for both)
  • How important is the network you are trying to protect?
  • Is it more valuable to detect malicious network traffic, or a compromised machine?

If a client asked me for one question around which to frame the discussion, the last one is it.  I think of IDS/IPS as "research" - it allows me to be informed about what's happening on my network, which I do believe all enterprises should have a good understanding of.  But tcpdump/ntop/mrtg/etc provide basic research info.  Frequently it is not worth spending thousands of dollars on.  On the other hand, I always want to know when a system has been compromised, and as soon as possible.

On a highly secured network I might deploy network IDS/IPS, host-based IDS and log monitoring, with some form of centralized management/correlation over that.  On a small to medium company's network, I focus resources on keeping systems patched, up-to-date, and in compliance with a corporate security policy. Once the basics are in place, then look at things like IPS.