Does anyone feel IDS/IPS is starting to become a waste of effort?

planedrop

This question has obviously been asked all over the place, but sometimes I like to get fresh opinions. I know there is a constant debate on this one, but as I've seen it, it feels like things are moving more and more towards it NOT being that useful.

With how much traffic is encrypted now, and the generally very high false positive rate, a part of me thinks it might not be worth the effort of tuning anymore. While I do love to play around with it, as it's intriguing from a netsec standpoint, I really just am not sure even in an enterprise environment, if it's worth the time. To me, things like PFBlocker with a very strict setup might be a better option overall for security.

Another thing is the performance required, even after solid tuning, is a bit insane on high throughput networks. I've been testing my Netgate 6100 on my home network just for fun, I have a roughly 1.4 gigabit connection, with Suricata enabled and tuned pretty well I was seeing 96% CPU usage and speeds were closer to 1.1 gigabits vs having it disabled. Really is an insane amount of resource usage IMO, and while I expected this it's just always interesting to test it. For reference without Suricata enabled the 1.4 gigabit puts CPU usage into the 20-30% mark, and I've easily been able to push 10 gig through this firewall without pegging the CPU.

Of course many environments don't need speeds beyond gigabit, but in the even you do it's a bit of a challenge to get it done.

Does anyone else feel the same way? Are you still configuring Suricata/Snort in your environments or are you just leaving it off?

P.S. yes this was a copy paste from a reddit post which I also created. Tend to get better results here but draft things there.

SteveITS

@planedrop BMeeks has in fact mentioned this several times in the IDS forum. It's another layer. It does seem a bit more useful for inbound connections...web, email, etc., although those are also often encrypted. Rule category choice can affect it, e.g. no need for the web server rules if one doesn't have a web server. I have Snort running at home but it only flags a couple things a day.

For our clients we have IDS, antivirus/antimalware on PCs, Quad9 DNS, pfBlocker, and/or other layers.

keyser

@planedrop Yeah, I have the same sentiment and have decided to leave suricata out of my next firewall config (I’m doing a ZFS reinstall on my SG-6100) once 22.01 goes release.

planedrop

@steveits said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

@planedrop BMeeks has in fact mentioned this several times in the IDS forum. It's another layer. It does seem a bit more useful for inbound connections...web, email, etc., although those are also often encrypted. Rule category choice can affect it, e.g. no need for the web server rules if one doesn't have a web server. I have Snort running at home but it only flags a couple things a day.

For our clients we have IDS, antivirus/antimalware on PCs, Quad9 DNS, pfBlocker, and/or other layers.

Makes sense, it for sure is another layer, I just wonder if it's not that useful of one. I personally haven't seen anything legit blocked by it, it's all been false positives in my testing. Of course my testing has been in a home environment, bit less likely for a sophisticated attack.

I think the big question that hits my head is, how often would something like IDS actually stop something that DNS/IP blocking and other layers wouldn't, if it's extremely low to none then maybe it's not worth it.

Appreciate the input here!

planedrop

@keyser said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

@planedrop Yeah, I have the same sentiment and have decided to leave suricata out of my next firewall config (I’m doing a ZFS reinstall on my SG-6100) once 22.01 goes release.

Makes sense, I'm leaning this way too. I manage a lot of PFSense firewalls, including for a pretty critical facility, but I've never once seen their suricata installs actually catch something, and way back when we weren't using PFSense, I never saw other firewall's IDS systems catch anything either.

Security is of course layers, so it's important to factor that in. But in all reality I think if IDS would have stopped something, but your other layers would have missed it, then maybe you need to reconsider your other layers effectiveness.

It's always a balance too, and my personal conclusion is starting to come back to the downsides being worse than the upsides for this subject. For me though the downside could be bigger than in a work environment, since it's very common for me to pull that full 1.4 gigabit on my WAN, so slowing that down would be a constant annoyance.

SteveITS

@planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

I've never once seen their suricata installs actually catch something

In our data center (client web hosting, etc.) we get an alert every minute or so. :)

At 1.4 Gbit do you get that on most sites? The web server and everything in in between would have to allow for that...

planedrop

@steveits said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

@planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

I've never once seen their suricata installs actually catch something

In our data center (client web hosting, etc.) we get an alert every minute or so. :)

At 1.4 Gbit do you get that on most sites? The web server and everything in in between would have to allow for that...

Interesting data to have for sure. Are those alerts seemingly legit? Do you think they'd be blocked by something else anyway?

I use the full bandwidth frequently for downloading large files, games, torrents, etc... Def not needed for general browsing but there are times when someone wants to play a game (this is just one example) that I don't have installed and having to wait longer for that would just be a nuisance when I'm paying for more bandwidth.

SteveITS

@planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

Are those alerts seemingly legit? Do you think they'd be blocked by something else anyway?

Most are. Occasionally a client will block themselves by entering an email password wrong several times, or a rule update is bad. People just scan the Internet for open ports so they will try to connect to anything and everything.

We do have other layers, e.g. fail2ban runs on the servers as well.

NollipfSense

@planedrop said in Does anyone feel IDS/IPS is starting to become a waste of effort?:

But in all reality I think if IDS would have stopped something,

IDS was never meant to stop anything, just detect. The stopping power is the firewall. Maybe DPDK will come up with a way to unencrypt and look...who knows...the future for sure for IDS?IPS is to do that. The IPS part isn't to block anything per say, but more to put an IP in timeout and on has three chances of a timeout before the IP is permanently placed on the firewall blocklist...this is how I interrupt it...maybe I have it incorrectly.

bmeeks

End-to-end encryption is most definitely diminishing the importance of IDS/IPS. And encrypted payloads can be the source of many false positives. The random encrypted data will occasionally match up with the tested bytes in a rule.

There is also the issue of some admins misunderstanding the intent of some rules. For example, there are categories in both Snort and Suricata where the rules are designed to simply detect malformed network traffic. Not all malformed traffic is nefarious. It may just be the result of bad or inexperienced programming on the part of a developer. Some is the result of asymmetrical routing. So rules that detect this type of traffic are really for "information" purposes and do not necessarily belong in the block or drop action list. They usually should be left at ALERT and not elevated to DROP (or block if using Legacy Mode).

False positives are the biggest pain with an IDS/IPS. Tracking those down can take a lot of work.

In the old days, IDS/IPS was extremely useful. This was especially true when it could peer into the packet payloads. Also, back then, raw traffic rates were typically lower (granted so was CPU horsepower, but you still generally had more CPU power than Internet bandwidth back then). But now looking into payloads is usually not possible unless you use MITM. And 10G Internet traffic can cause even a powerful CPU to sweat bullets when trying to inspect that traffic against several thousand IDS rules.