There are a few IPS/IDS solutions out there utilizing email reputation
> as part of their solutions, and they primarily get their strength from a
> centralized managed db on the part of the vendor supplying the solution.
I haven't seen this actually happening; do you have specific products in
mind? Other than 'intention,' it doesn't seem to have been rolled out yet.
In general, though, I agree with you: this is great stuff... potentially.
Incorporating reputation services (not just email, but web as well) into
IDPs is an outstanding way to help provide the IDP with additional
information that might help it to do a better job.
In the simplest case, this information could be correlated at the
console so that IDS-ish activity can be prioritized by 'known bad
actors.' The prevalent behavior of many network managers in applying
bias to their firewalls (e.g., PIX shun or Check Point SAM) based on
past bad behavior is an example of why this would be successful and
useful.
In other words, I am MUCH more interested in an alert if it comes from
someone with a known bad reputation. These are more likely to require
action on the part of the network manager, or at least to be
'interesting' in the sense of understanding a threat pattern or ongoing
robot-based attack. That alone should help to bubble up alerts in the
console of the IDS.
For example, correlating the Spamhaus PBL (policy block list,
essentially a list of IPs which have been defined by their owners as
'these guys should never be sending mail directly') with IDS alerts
would be outstanding information, because anyone on the PBL generating a
alert is likely to be bot-infected or intentionally malicious. What you
do with that... I don't know directly, but anything that can help to
provide greater context in IDS alerts is obviously of value.
In a more complex case, the presence of an IP on a reputation service
(again, email or web, since they are merging with the significant
vendors of these services) could also affect the behavior of an IDP when
it comes to actually dropping or resetting connections. This is
obviously harder to manage and now begins to tread on the territory of
other products.
For example, a standard Web Security Gateway (pick Cisco's WSA as an
example, but there are a dozen of these products) already is blocking
connections from end-user clients to bad-reputation web sites. If the
IPS started doing the same, this could either be a defense-in-depth
strategy (two reputation services are better than one?) or might be
useful in an environment where the enterprise did not have a Web
Security Gateway but wanted to fold that functionality into their
existing IPS. See, for example, the build-up of UTM firewalls as a
precedent for this.
I think that it seems obvious that, given the level of sophistication of
existing IDP detection engines, anything that we can do to give them
"more intelligence" is a step in the right direction.
This could happen at detection-time or at analysis-time, as I've
mentioned above--and these are certainly not the only places where it
could be useful.
It seems to me that given the purchase of Ironport (with their
Senderbase web/email reputation service) by Cisco and the purchase of
Ciphertrust by Secure Computing by McAfee (with their TrustedSender
web/email reputation service) presages the integration of these
technologies into IDP products. Whether folks like Sourcefire will be
able to forge (useful) alliances with semi-open-source products like
Spamhaus or commercial products like Commtouch remains to be seen, but
certainly if/when Cisco and McAfee start pushing integration, there will
be pressure on for everyone to start folding this in.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
[EMAIL PROTECTED] http://www.opus1.com/jms
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
