IDS/IPS – Finger Lickin’ Good!
[Much like Colonel Sander’s secret recipe, the evolution of "pure" IPS is becoming an interesting combo bucket of body parts — all punctuated, of course, by a secret blend of 11 herbs and spices…]
So, the usual suspects are at it again and I find myself generally agreeing with the two wisemen, Alan Shimel and Mike Rothman. If that makes me a security sycophant, so be it. I’m not sure, but I think these two guys (and Michael Farnum) are the only ones who read my steaming pile of blogginess — and of course Alex Neihaus who is really madly in rapture with my prose… 😉
Both Alan and Mike are discussing the relative evolution from IDS/IPS into "something else."
Alan references a specific evolution from IDS/IPS to UTM — an even more extensible version of the tradtional perimeter UTM play — with the addition of post-admission NAC capabilities. Interesting.
The interesting thing here is that NAC typically isn’t done "at the perimeter" — unless we’re talking the need to validate access via VPN, so I think that this is a nod towards the fact that there is, indeed, a convergence of thinking that demonstrates the movement of "perimeter UTM" towards Enterprise UTM deployments that companies are choosing to purchase in order to manage risk.
Alan seems to be alluding to the fact that these Enterprises are considering deployments internally of IPS with NAC capabilities. I think that is a swell idea. I also think he’s right. NAC and about 5-6 other key, critical applications that are a natural fit for anything supposed to provide Unified Threat Management…that’s what UTM stands for, afterall.
Mike alludes to the reasonable assertion that IDS/IPS vendors are only riding the wave preceeding the massive ark building that will result in survival of the fittest, where the definition of "fit" is based upon what the customer wants (this week):
Of course the IDS/IPS vendors are going there because customers want
them to. Only the big of the big can afford to support all sorts of
different functions on different boxes with different management (see No mas box). The great unwashed want the IDS/IPS built into something bigger and simpler.
True enough. Agreed. However, there are vendors — big players — such as Cisco and Juniper that
won’t use the term UTM because it implies that their IDS and IPS
products, stacked with additional functions, are in fact turkeys (following up with the poultry analogies) and
that there exists a guilt by association that suggests the fact that
UTM is still considered a low-end solution. The ASP of most UTM
products is around the $1500 range, so why fight for scraps.
So that leads me to the point I’ve made before wherein I contrast the differences in approach and the ultimate evolution of UTM:
Historically, UTM is defined as an approach to network security in
which multiple logically complimentary security applications, such as
firewall, intrusion detection and antivirus, are deployed together on a
single device. This reduces operational complexity while protecting the
network from blended threats.
For large networks where security requirements are much broader and
complex, the definition expands from the device to the architectural
level. In these networks, UTM is a “security services layer” within the
greater network architecture. This maintains the operational simplicity
of UTM, while enabling the scalable and intelligent delivery of
security services based on the requirements of the business and
network. It also enables enterprises and service providers to adapt to
new threats without having to add additional security infrastructure.
My point here is that just as firewalls added IDS and ultimately became IPS, IPS has had added to it Anti-X and become UTM — but, Perimeter UTM. The thing missing there is the flexibility and extensibility of these platforms to support more functions and features.
However, as both Mike and Alan point out, UTM is also evolving into architectures that allow for virtualized
security service layers to be deployed from more scaleable platforms
across the network.The next logical evolution has already begun.
When I go out on the road to speak and address large audiences of folks who manage security, most relay the fact that most of them simply do not trust IPS devices with automated full blocking turned on. Why? Because they lack context. While integrated VA/VM and passive/active scanning adds to the data collected, is that really actionalble intelligence? Can these devices really make reasonable judgements as to the righteousness of the data they see?
Not without BA functionality, they can’t. And I don’t mean today’s NBA (a la Gartner: Network Behavior Analysis) or NBAD (a la Arbor/Mazu: Network Behavioral Anomaly Detection) technology, either.
[Put on your pads, boys, ‘cos here we go…]
NBA(D) as it exists today is nothing more than a network troubleshooting and utilization tool, NOT a security function — at least not in its current form and not given the data it collects today. Telling me about flows across my network IS, I admit, mildly interesting, but without the fast-packet cracking capabilities to send flow data *including* content, it’s not very worthwhile (yes, I know that newer version of NetFlow will supposedly do this, but at what cost to the routers/switches that will have to perform this content inspection?)
NBA(D) today takes xFlow and looks at traffic patterns/protocol usage, etc. to determine if, within the scope of limited payload analysis, something "bad" has occured.
That’s nice, but then what? I think that’s half the picture. Someone please correct me, but today netflow comes primarily from routers and switches; when do firewalls start sending netflow data to these standalone BA units? Don’t you need that information in conjunction with the exports from routers/switches at a minimum to make the least substantiated decision on what disposition to enact?
ISS has partnered with Arbor (good move, actually) in order to take this first step towards integration — in their world it’s IPS+BA. Lots of other vendors — like SourceFire — are also developing BA functionality to shore up the IPS products — truth be told, they’re becoming UTM solutions, even if they don’t want to call their products by this name.
Optenet (runs on the Crossbeam) uses BA functionality to provide the engine and/or shore up the accuracy for most of their UTM functions (including IPS) — I think we’ll see more UTM companies doing this. I am sure of that (hint, hint.)
The dirty little secret is that despite the fact that IDS is supposedly dead, we see (as do many of the vendors — they just won’t tell you so) most people purchasing IPS solutions and putting them in IDS mode…there’s a good use of money!
I think the answer lies in the evolution from the turkeys, chickens and buzzards above to the eagle-eyed Enterprise UTM architectures of tomorrow — the integrated, consolidated and virtualized combination of UTM with NAC and NBA(D) — all operating in a harmonious array of security goodness.
Add VA/VM, Virtual patching, and the ability to control how data is created, accessed, manipulated and transported, and then we’ll be cooking with gas! Finger lickin’ good.
But what the hell do I know — I’m a DoDo…actually, since I grew up in New Zealand, I suppose that really makes me a Kiwi. Go figure.
OK Colonel Sanders, very nice. Totally agree about the need to layer behavior on top of the traditional defenses. Maybe it looks like reputation or deviations from a baseline. But one of the things that will absolutely be required is correlation. We'll need to be able to arbitrate between all of these different techniques, especially when they provide contrary evidence.
I say, I say…
Yup.
The holy grail — BA & correlation…great topic! Time for the next blog entry!
I have some really neat "incites" into this particular topic.
Stay tuned.
BTW, KFC crispy/spicy with coleslaw, mashed taters and a cob o' corn. Damn fine eatin'!
IDS/IPS for the birds
Mike Rothman and Chris Hoff both have written articles in response to my recent IDS/IPS evolutionary article. Rather than comment to both of them, I thought I would respond formally here. So here it is. First of all Mike, you
The Daily Incite – June 14, 2006
June 14, 2006 Good Morning: First thing, Id like to welcome all the new readers that have joined over the past week or so. Let me know what you think and if you have suggestions for improvement, Im all ears. Next Ill point you to the &
Do not confuse cheap linux boxes running multiple security applications (UTM) with the cutting edge of network protection. UTM is a packaging of products in an easy to digest appliance for the 2 million or so businesses (NA alone) that do not have security staffs.
The reason that there is such a dirth of good security within the large enterprise is that IP or ethernet has been too easy to deploy. Netwokr designers had only one measure to go buy, the flashing red lights on their switches that indicated collisions. Too many red lights? Time to upgrade to 100meg, 1 gig, 3 gig, 10 gig!
In order to secure the modern network you would have to be able to write policies with full knowledge of every protocol you run on your network. Remember how long it took the firewall vendors to figure out FTP? Even Microsoft could not tell me what applications were affected by the infamous RPC DCOM vulnerabilities (of MSBlaster fame).
Flow based analysis and modeling is the best technology I have seen for understanding network usage. It justifies intself in only for its ability o shine a light on the dark morass that is most networks. But used in conjunction with smart, fast switches NBA(D) is the key to network security.
IPS and Context, someone finally agrees.
I just found a great discussion on IPS that worked its way through several blogs I read. I am a little late in posting but I think this is a very interesting topicand one that points out what I have thought for a while. Christopher Hoff, …