Thomas Ptacek over at Matasano Chargen has strong opinions against IDS/IPS and has some valid points but his fundamental argument is wrong. When Thomas stated the following, he made it clear (to me anyway) that he is just dramatizing the issue:

“Can you actually address the argument I really made? I know a whole bunch of my readers can (and probably will, with expletives).”

The argument he’s referring to is this;

“Intrusion detection has been an active field of research for over 15 years now and apart from Tripwire I can’t point to anything operationally valuable it has produced.”

The Honeynet project owes an awful lot to research done with Snort and I argue that Honeynet is one of the most important security research projects the security community has going.

Thomas later added that although he knows others buy into IDS/IPS and he respects their opinion, he still plans on “ruthlessly transmitting” his opinion.

My question is; to what purpose? We get the point; he thinks IDS/IPS is useless and I ruthlessly disagree. =)

I can give at least one real-world case of IDS saving MY bacon: We had a laptop compromised with the Blaster worm. That laptop was then placed on our network and our IDS alerted us that it was scanning dark subnets in our environment. We isolated the host, corrected the compromise and prevented an outbreak on our unpatched network.

Here’s another one; a host compromised by a bot, which then tried to contact a C&C channel. The IDS alerted us on the IRC attempt and we again isolated the host and corrected the compromise and prevented any number of bad things; leakage of proprietary data, liability for upstream attacks, additional internal compromises, etc.

Granted, Thomas doesn’t want to hear about mere bot compromises but in the real world, those bots can and do wreak havoc on a network and tax local IT departments, especially if they’ve been allowed to run unchecked for any amount of time.

IPS enables more flexibility at whatever border or choke-point you’re protecting with it. For example; I can permit port 80 inbound to my web server but block various www attacks that my dumb-but-brute-of-a-firewall lets past.

Thomas argues that firewalls are hugely successful (I’d like to add only when properly configured. Read; egress filtering). He goes on to say

It is absolutely unimaginable for a large company to be connected to the Internet without them. You cannot say the same thing about IDS/IPS; lots of enterprises don’t use it, and they aren’t suffering.

So then maybe Thomas can point to any large company that successfully depends solely on the firewall for security. He can’t because the enterprise needs defense in depth. They need a firewall at the border. They need patch management throughout the enterprise. They need network visibility throughout the enterprise (sounds like a good use of IDS). The list goes on.

Granted, a skilled and determined hacker can evade an IDS/IPS. That’s why we harden the end point systems; That’s why we deploy patches; That’s why we segregate networks; so we can minimize and contain damage that we can’t or choose not to mitigate.

I utilize both network IPS and host IPS and I used Snort to segue into the IDS/IPS arena and I haven’t regretted it one bit. Nor have I second-quessed that the technology works. I’ve seen it first hand and it’s saved my bacon and frankly, that’s what counts. My network is measurably safer with IPS.

For more information about this topic

• No Related Post