An interesting tech segment on Pauldotcom podcast, episode 110 at 21:00. They compare the design and engineering priorities for an inline IPS and IDS.
Inline IPS Priorities
- 1. Stability – at all costs stay up and don’t take down the network
2. Performance – don’t slow down the network traffic
3. No false positives – don’t block legitimate network traffic
4. No false negatives – don’t allow any attacks through the IPS
Hmmm . . . sounds a lot like control system priorities. First three priorities say ignore the security ramifications if it is a decision between availability and stopping an attack. The last priority is actually security. Maybe those IT guys are not totally different?
- 1. Eliminate false negatives – identify all attacks, see more alerts but don’t miss anything
2. Eliminate false positives – remove the noise so an analyst can focus
3. Performance – the IDS ability to process all the passively collected traffic
4. Stability of the IDS platform and application – don’t crash the IDS
Larry and Paul both prefer IDS over if IPS if a choice has to be made.
All control systems are a bit different, but we typically recommend an IDS sensor first on the control system followed by a sensor on the DMZ – – assuming there is also a commitment to monitor these passive devices.
We see inline IPS as more of a rifle shot for specific issues. Let’s say a system on the DMZ can’t be patched and you need to allow traffic on the affected port through the firewall to the DMZ server. Well this is known to be a successful attack, so this IPS signature should be turned on and set to block. Since most modern firewalls have IPS capabilities this really just involves intelligent use of the IPS feature as a compensating control for the unpatched vulnerability.