Rabu, 06 September 2006

Comment on Draft NIST Publications

02.35  ,  No comments

Thanks to SANS I read this FCW story about new NIST draft publications, specifically Draft Special Publication 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems (.pdf). I am worried about this document because it seems to imply that detection and prevention are equivalent functions. Recent Dark Reading stories like IDS/IPS: Too Many Holes? and IPS Technology: Ready for Overhaul have been critical of both technologies, but especially IPS.

Despite some vendor claims to the contrary, customers realize that the same inspection logic used to "detect intrusions" is supposed to be applied to the "prevent intrusions" problem. Since so-called "intrusion prevention" products were sold as devices that overcame "false positive" problems, many customers are disappointed are end up running their "IPS" in detect only mode. From this perspective, it makes sense for NIST to lump IDS and IPS in the same category.

From an operational and consequences-based perspective, IDS and IPS are completely different. Management generally permits an IDS team with passive sensors to do just about anything it wants, shy of using RST tricks to deny traffic. Management does not take the same approach with IPS, since an IPS is just a smarter firewall. One bad IPS rule and business traffic is interrupted.

While on this subject, I consider it unfortunate that the terms IDS and IPS even exist. Neither describes the actual function of either device. IDS as used by the vast majority of people seldom "detects intrusions." Rather, the technology is an Attack Indication System.

IPS is even more poorly named. An IPS is just a layer 7 firewall, so I would just as soon call an IPS a smarter firewall.

Finally, I read this press release:

[McAfee] announced that it has been selected to be deployed as the standard network intrusion prevention solution for the U.S. Air Force. The Air Force will use McAfee® IntruShield Network Intrusion Prevention System (IPS) and McAfee IntruShield Security Manager appliances to provide comprehensive and proactive protection for its worldwide non-classified and classified networks. The task order was awarded by the Air Force's Combat Information Transport System (CITS) program office to prime contractor Booz Allen Hamilton under the U.S. Air Force NETCENTS contract.

I'm guessing this is the end of ASIM?

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)