IDS/IPS: Too Many Holes?
Today's IDS/IPS technology is often no match for smarter and more application-specific exploits
July 21, 2006
The "P" in IPS stands for prevention, but these days it seems more like "porous," users and experts say.
Intrusion detection systems (IDS) and intrusion prevention systems (IPS), which catch "known" threats, are hard-pressed to keep pace with today's ever-changing, application-specific exploits, according to experts.
Researcher HD Moore and colleague Brian Caswell at next month's Black Hat conference will demonstrate just how vulnerable these security tools are to application-level attacks. The researchers will reveal new, application-level exploits that slip, undetected, right past an IPS. "It's simple application-level evasion through an IPS appliance," says Moore, who won't reveal the victimized IPS appliance prior to his presentation.
"It is common knowledge that a targeted attack can almost always bypass IDS/IPS technology," Moore says. "The difference is that public exploit tools now support these evasion methods and the vendors are doing a poor job of keeping up."
It's not unlike their challenges with antivirus software, which also relies on known threats, security experts say. The key is to be aware of the limitations and to "layer up" your security.
IPS pioneer TippingPoint maintains that it's the IPS's ability to see signatures in attacks that's the real strength of the technology. "That's where the magic really happens," says Jason Wright, product marketing manager for TippingPoint. Wright says TippingPoint's technology also includes some behavioral and anomaly-based filtering. "When we see a certain application or attack, such as peer-to-peer sharing, we can block the flow or rate-limit it," he says.
But critics say IPS technology doesn't work as its name advertises. "IPSes don't prevent anything," says Thomas Maufer, director of technical marketing for Mu Security. "They tend to have holes, and the amount of lost traffic doesn't depend on the number of signatures in a device. Even with an IPS with fully loaded signatures, it can only block two-thirds of traffic."
In one security analysis, Mu Security found that 92 percent of bad traffic got by the customer's IPS.
IDS/IPS systems don't have the processing power to scan an entire set of signatures, Maufer observes. IDS/IPSes can't and don't look at all of the data that streams through them. "The big thing is that they have tiny database. A typical IPS has 2,000 to 3,000 signatures, but there are a lot more than that you'd want to scan for," he says. "And if they can't keep up with network traffic, it starts filling the buffers, and it misses attacks -- the complexity of a signature affects their performance."
That's one weak link that researchers Moore & Caswell are targeting in their project: limited resources. "They have only a finite amount of memory and it is often trivial for an attacker to exhaust all available resources with a relatively small amount of traffic," Moore says. "This can prevent an IDS/IPS from functioning at all and force an IPS into switching to 'pass-through' mode," where traffic gets by.
Vendors such as TippingPoint are looking to improve performance in hardware. Wright says TippingPoint uses ASIC technology, for instance, and the company is integrating its technology with switches, a move that other IPS vendors are expected to follow. And as new threats, such as denial of service, spyware, and phishing evolve, Tipping Point updates its filters to address them, he says. "Our hardware runs a lot faster, and we can be deployed in the interior of a network," Wright says.
Tom Ptacek, a researcher with Matasano Security who studies ways to evade IPSes, says hardware resources aren't the problem. IPS/IDS technology just can't keep up, he says.
"The problem IPS is trying to tackle is extremely hard -- to look at network traffic and understand the intent of it," Ptacek says. "It's like walking a tightrope between false positives and false negatives in an earthquake. It's moving all the time, and catching all variants of an attack is difficult."
All an attacker has to do is present itself as a benign request to the IDS, Moore says. "The more the IDS knows about the network it protects, the better it can defend against this sort of evasion," he says. "IDS evasion really boils down to one thing: Know your target."
Then there is the barrage of false positives that these tools often generate. MedAvant Healthcare Solutions runs seven ISS RealSecure IDS sensors throughout its sites, along with firewalls. But the company gets more false positives than vice president of security and engineering Robert Mims would like. "What I want with an IDS is visibility into the network, to report malicious traffic," Mims says. "Sometimes it works great and gives me the alerts, but I get a lot of false positives, and that means a lot of manual investigation and tuning on the part of my security engineers."
MedAvant so far has stuck with a traditional IDS, rather than installing an IPS, because it operates a transaction-based business, and a signature-based IPS could block production traffic with false positives, Mims says. "We have [service level agreements] in our claims systems that we have to meet in seconds -- I can't take the risk of a device interrupting" a transaction, says Mims. Mims is interested in IPSes that contain some intelligence with behavioral modeling, and where traffic can still get through when it fails.
TippingPoint's Wright admits false positives occur occasionally. "This filter is designed to block when it sees certain things -- the customer has to understand what an IPS is going to block." It's sometimes a matter of properly configuring it to accept your "good" traffic may be blacklisted, he says.
And what about the insider threat? "Hackers will get past the perimeter. Once they get past it, they are looking like insiders," says Steve Woo, vice president of marketing and product management for Securify.
Matasano Security's Ptacek says in the end, you don't really need an IPS. "There's no proof an IPS does anything for security." The bottom line is most organizations run firewalls and AV, but not everyone uses IPSes, he says.
Others disagree. "IDS/IPS signatures still have their place on the perimeter because you don't want the desktop to become an attack path for an outsider," Securify's Woo says. "But it misses targeted or credentialed attacks by hackers coming in."
MedAvant's Mims says security is ultimately more than IDS/IPS, firewalls or antivirus systems. "It's naïve to rely on just those," he says. "Patch management is very important -- if the vulnerabilities aren't there, there's nothing to exploit."
— Kelly Jackson Higgins, Senior Editor, Dark Reading
About the Author
You May Also Like