The difference between IPS and IDS from Tipping Point - White Paper Snippet

positives; an IDS minimizes

false positives. This dramatically

changes the writing and testing

of the lters.

" An IPS false positive blocks

legitimate traf c; and IDS false

positive alerts on an intrusion

that did not or could not

succeed.

" Anomaly lters cannot be used

for blocking, only for alerting.

These distinctions change the

requirements and engineering of

the product, and make the IDS

vulnerable to snow-blind attack.

Minimize False Negatives:

Network Performance vs.

Decoding Fidelity

A false negative is simply a missed

attack. Clearly a false negative

is undesirable, and every vendor

strives to provide as complete

coverage as possible. However,

there is no silver bullet: no product

detects all attacks. Hence, the goal

becomes providing coverage for

high priority attacks.

When prioritizing attack coverage,

every vendor assesses three

things:

" Is the attack important to

customers?

" Can the engine do it without

adverse impact?

" Is the lter writing team capable

of researching and writing the

lter?

A useful metric when evaluating

IPS protection capabilities is

to examine their coverage of

important/critical Microsoft

Tuesday vulnerabilities. Since

these vulnerabilities are important

to every vendor s customers, the

vendor will prioritize development

of these lters. The only reason

not to provide coverage is if the

engine is inadequate, or the team

is incapable.

Besides lack of coverage, there

are several other reasons for a

false negative. The attack may

incorporate obfuscation techniques

in order to evade the IPS or IDS.

In the case of IDS, the IDS may be

overwhelmed with traf c beyond

its processing capacity and drop

the packets needed to detect

the attack. With an in-line device,

overwhelming the device has a

different effect: it causes traf c to

be dropped. The attack does not

succeed, since the attack packets

are dropped, but it is also not

detected.

In the case of evasions, both IDS

and IPS should handle evasion

tactics, but the way they handle

them can be different. Ideally, both

devices should unravel the evasion

in order to correctly report the

attack.

Consider an evasion that

fragments MS-RPC traf c. The

MS-RPC protocol natively supports

fragmentation at the application

layer. However, no legitimate

application uses this feature on the

vulnerable services; in fact, up until

recent versions of Windows, the

MS-RPC fragmentation code was

buggy. This bug went undiscovered

for years, apparently because

no one had ever attempted to

use MS-RPC fragmentation in a

legitimate application.

In this instance, an IPS could

simply block streams that contain

MS-RPC fragmented payloads

instead of decoding the attack.

White Paper: IPS vs. IDS - Similar on the Surface, Polar Opposites Underneath

5

A useful metric when evaluating IPS

protection capabilities is to examine

their coverage of important/critical

Microsoft

Tuesday vulnerabilities.