IPS Shortcomings presented at BlackhatUSA 2006

by Renaud Bidou,

Summary : Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth....
The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects:
conceptual weaknesses and ways to detect "transparent" inline equipments
signatures issues
hardware architecture limitations and common jokes
performance vs security necessary trade-off and consequences
behavioral, heuristics, neuronal stuff etc. reality and limitations
Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you.