OK, here’s the post I promised on why I agree that IDS is not dead and won’t be for a while. What it all essentially comes down to is reality. In theory, the way anyone’s network should be designed is in the fashion of the Core-Distribution-Access methodology.
First of all, this is obviously a very simplified diagram, so don’t slam me on that point please. I didn’t feel like getting crazy complicated on the drawing.
Anyway, instead of typing out my own description of this model, let me just quote Cisco (got it from here):
In a well-formed hierarchical network, there are three easily defined layers, traditionally referred to as the access, distribution, and core layers.
Each of these layers provides a different function. The layers do not need to exist in clear and distinct physical entities, but the functionality needs to exist in an enterprise network. To help understand these functional layers, the traditional layers have been modified to access or workgroup, distribution or policy, and core or backbone.
The main function of the access or workgroup layer is to connect users. Other functions represented by this layer are shared bandwidth, switched bandwidth, MAC-layer filtering, and micro segmentation. LAN switches, for example the Catalyst 5000 and Catalyst 5500 switches, exist most commonly in this layer of the network.
The distribution or policy layer performs the policy-based operations. It performs the complex, CPU-intensive calculations such as filtering, access lists, inter-VLAN routing, Group Multicast Protocol (GMP), broadcast and multicast domain definition, and address or area aggregation. This layer may also contain the local servers. ATM switches and routers reside in the distribution layer, and sometimes LAN switches may reside here as well.
The core or backbone layer is the backbone of the network. It should be high-speed and concerned mainly with switching traffic as quickly as possible. It should not get involved in “expensive” packet manipulation. ATM connections or Fast Ethernet connections, which functions as a backup, should make up the core backbone. The central servers may also be attached to the high-speed backbone in the core. ATM switches, high-speed routers, and sometimes LAN switches can be found in the core.
Now, I don’t agree with the statement about central servers in the last sentence. Though it probably made sense from a speed standpoint a few years ago, it really is not essential in today’s high speed networks. And it breaks some security rules as well, especially in today’s PCI world (segmentation is king). But beyond that, I agree with this write up.
And IF you are setup like, IPS can fit very well in your environment as stand alone boxes or in a UTM.
I didn’t label them very well, but if you look close, you will see the IPS boxes guarding the core by being placed on the lines coming from the distribution layer. In this scenario, you are effectively creating a ring around your core. You also have almost perfect knowledge of what is going on in your network because almost everything is going to hit your core eventually.
But if you notice on the first picture, I labeled it “How it should be”. If you have this model, or you have enough money to re-architect your network, then you can guard your core with a proactive solution and have a very good idea of what is running around in your network. But here’s what most people’s networks actually look like:
Tell me I’m wrong! 
I’m a realist for the most part (I have a lot of ideals, but they mostly just get me in trouble). And above is real world. There is an IPS here, but it is installed in the typical fashion of guarding the Internet connection. You can see what is coming in and going out, but all the craziness going on inside your network is about as visible as a Baptist on the front pew on Sunday (I was raised a Baptist, so I can say that). You are guarding your network from the bad guys OUTSIDE, but everyone inside is having a good ol’ time playing and fiddling and whatever else, and you can’t see it.
So if you can’t re-architect, and you can’t put HIPS everywhere, and you can’t put an IPS everywhere, and that IPS blade seems like a pipe dream, and that security in every switch seems like an even bigger pipe dream, then what do you do?
Now you have an IDS on a span port, and you can see what is going on. Do you have a proactive solution? No. But is this a useless installation of IDS? Alan asked on my CW blog:
What good is the visibility if you can’t do anything about it?
To that I answered:
Alan, I think visibility is a very good thing to have in your network, even if you are having to act reactively to it. Proactive is definitely preferable, but with most IPS deployments being inline, you cannot see what is happening inside your network. You can only see what is going in and out of your network.
Basically, if I do not have the infrastructure in place to react, why would I choose to ignore it? I still want to know it is happening. Thinking that data is useless is ridiculous.
Again, I think automation is preferable, just as you say in your post. But I don’t think everyone is at a point to have that, even in the next 5 years. From a realistic POV, I see people WANTING stuff every day, but when I give ‘em a price tag, they yak all over the place. So as long as those people can buy an IDS and throw it on a span port and get some info as to what is going on in their network, then manufacturers will build the IDS.
That is just real world. I have lived in that world. I know what it is like not to have the money to build the perfect network. I had an IPS on my ingress / egress Internet point. I could see and block the baddies right there. But I had no clue what was happening inside my network. IPS wasn’t going to do me much good on a span port (I don’t like throwing a bunch of TCP resets on my network - it just ain’t pretty). So I installed an IPS, and I installed a SIM tool so I could do some filtering and some better reaction, and I got the best I could get.
So that is why I think IDS is here for a while. IPS will get rolled into UTM. Eventually maybe it will get rolled into the switches and core switches in a reliable fashion that is also affordable. Until then, why not have an idea of what is going on in your network? You have to have visibility if you are going to do anything about it. Better to react than not act at all!
OK, enough for today. Have a good weekend everybody.
Vet
