Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/21/2006
09:42 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IDS/IPS: Too Many Holes?

Today's IDS/IPS technology is often no match for smarter and more application-specific exploits

The "P" in IPS stands for prevention, but these days it seems more like "porous," users and experts say.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS), which catch "known" threats, are hard-pressed to keep pace with today's ever-changing, application-specific exploits, according to experts.

Researcher HD Moore and colleague Brian Caswell at next month's Black Hat conference will demonstrate just how vulnerable these security tools are to application-level attacks. The researchers will reveal new, application-level exploits that slip, undetected, right past an IPS. "It's simple application-level evasion through an IPS appliance," says Moore, who won't reveal the victimized IPS appliance prior to his presentation.

"It is common knowledge that a targeted attack can almost always bypass IDS/IPS technology," Moore says. "The difference is that public exploit tools now support these evasion methods and the vendors are doing a poor job of keeping up."

It's not unlike their challenges with antivirus software, which also relies on known threats, security experts say. The key is to be aware of the limitations and to "layer up" your security.

IPS pioneer TippingPoint maintains that it's the IPS's ability to see signatures in attacks that's the real strength of the technology. "That's where the magic really happens," says Jason Wright, product marketing manager for TippingPoint. Wright says TippingPoint's technology also includes some behavioral and anomaly-based filtering. "When we see a certain application or attack, such as peer-to-peer sharing, we can block the flow or rate-limit it," he says.

But critics say IPS technology doesn't work as its name advertises. "IPSes don't prevent anything," says Thomas Maufer, director of technical marketing for Mu Security. "They tend to have holes, and the amount of lost traffic doesn't depend on the number of signatures in a device. Even with an IPS with fully loaded signatures, it can only block two-thirds of traffic."

In one security analysis, Mu Security found that 92 percent of bad traffic got by the customer's IPS.

IDS/IPS systems don't have the processing power to scan an entire set of signatures, Maufer observes. IDS/IPSes can't and don't look at all of the data that streams through them. "The big thing is that they have tiny database. A typical IPS has 2,000 to 3,000 signatures, but there are a lot more than that you'd want to scan for," he says. "And if they can't keep up with network traffic, it starts filling the buffers, and it misses attacks -- the complexity of a signature affects their performance."

That's one weak link that researchers Moore & Caswell are targeting in their project: limited resources. "They have only a finite amount of memory and it is often trivial for an attacker to exhaust all available resources with a relatively small amount of traffic," Moore says. "This can prevent an IDS/IPS from functioning at all and force an IPS into switching to 'pass-through' mode," where traffic gets by.

Vendors such as TippingPoint are looking to improve performance in hardware. Wright says TippingPoint uses ASIC technology, for instance, and the company is integrating its technology with switches, a move that other IPS vendors are expected to follow. And as new threats, such as denial of service, spyware, and phishing evolve, Tipping Point updates its filters to address them, he says. "Our hardware runs a lot faster, and we can be deployed in the interior of a network," Wright says.

Tom Ptacek, a researcher with Matasano Security who studies ways to evade IPSes, says hardware resources aren't the problem. IPS/IDS technology just can't keep up, he says.

"The problem IPS is trying to tackle is extremely hard -- to look at network traffic and understand the intent of it," Ptacek says. "It's like walking a tightrope between false positives and false negatives in an earthquake. It's moving all the time, and catching all variants of an attack is difficult."

All an attacker has to do is present itself as a benign request to the IDS, Moore says. "The more the IDS knows about the network it protects, the better it can defend against this sort of evasion," he says. "IDS evasion really boils down to one thing: Know your target."

Then there is the barrage of false positives that these tools often generate. MedAvant Healthcare Solutions runs seven ISS RealSecure IDS sensors throughout its sites, along with firewalls. But the company gets more false positives than vice president of security and engineering Robert Mims would like. "What I want with an IDS is visibility into the network, to report malicious traffic," Mims says. "Sometimes it works great and gives me the alerts, but I get a lot of false positives, and that means a lot of manual investigation and tuning on the part of my security engineers."

MedAvant so far has stuck with a traditional IDS, rather than installing an IPS, because it operates a transaction-based business, and a signature-based IPS could block production traffic with false positives, Mims says. "We have [service level agreements] in our claims systems that we have to meet in seconds -- I can't take the risk of a device interrupting" a transaction, says Mims. Mims is interested in IPSes that contain some intelligence with behavioral modeling, and where traffic can still get through when it fails.

TippingPoint's Wright admits false positives occur occasionally. "This filter is designed to block when it sees certain things -- the customer has to understand what an IPS is going to block." It's sometimes a matter of properly configuring it to accept your "good" traffic may be blacklisted, he says.

And what about the insider threat? "Hackers will get past the perimeter. Once they get past it, they are looking like insiders," says Steve Woo, vice president of marketing and product management for Securify.

Matasano Security's Ptacek says in the end, you don't really need an IPS. "There's no proof an IPS does anything for security." The bottom line is most organizations run firewalls and AV, but not everyone uses IPSes, he says.

Others disagree. "IDS/IPS signatures still have their place on the perimeter because you don't want the desktop to become an attack path for an outsider," Securify's Woo says. "But it misses targeted or credentialed attacks by hackers coming in."

MedAvant's Mims says security is ultimately more than IDS/IPS, firewalls or antivirus systems. "It's naïve to rely on just those," he says. "Patch management is very important -- if the vulnerabilities aren't there, there's nothing to exploit."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • TippingPoint Technologies Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17667
    PUBLISHED: 2019-10-17
    Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
    CVE-2019-17666
    PUBLISHED: 2019-10-17
    rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
    CVE-2019-17607
    PUBLISHED: 2019-10-16
    HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
    CVE-2019-17608
    PUBLISHED: 2019-10-16
    HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
    CVE-2019-17609
    PUBLISHED: 2019-10-16
    HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.