Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 050596.html (Request Expert securityfocus.com Support)

IDS thoughts

From: Randy Taylor <gnu(at)charm.net>
Date: Tue May 13 2003 - 14:50:52 EDT

The recent debate on Polymorphic Shellcode Detection (PSD) illustrates something about the IDS field that isn't discussed often, if at all.

IDS has made the transition from leading-edge space to commodity space.

PSD is a good example. Every major IDS product on the market provides some form of PSD. It may be a partial or an exact match, but all of them will say something along the lines of, "there's something not right here - pay attention". Any enterprise with a good network security team either in-house or outsourced will start paying attention immediately.

With that point established, the differentiation debate between IDS vendors has to shift to commodity-style arguments:
"We have a better algorithm!", "We're faster!", "We're provide
better ROI!", "Now with Boron! (tm)", etc. This is what was really at the heart of the recent discussion between representatives of IntruVert, ISS, and Enterasys on PSD.

Fragrouter has done about everything that can be sanely done to a packet through Layer 4. Everything else that is happening is Layer 5 and above - most of that is a derivative of something that has gone down the wire before and in the main it's not even trying to hide.

There's really not a whole lot else to be done in the IDS market except product improvements (code refinement,etc), signature maintenance, and keeping up with data rates. Oh, and press releases.

So for the IDS consumer, which the majority of us on this list are, all that really matters is what has always mattered. Feature sets, GUI's, unit cost, usability/manageability, forensics, maintainability, a product's ability to integrate
with third-party tools, low false-positive and false-negative rates, etc.

Do you need help?X

Little of what the vendor reps had to say about PSD had anything to do with that. If you go back and look at the posts by any vendor rep over the last year or two, it'll be the rare one that addresses a customer's standard issue set.

So when you vendor guys start talking objectively about things IDS consumers like me really care about, I'll listen. I won't be holding my breath waiting. In the meantime, save your thinly veiled digs at each other for your marketeers.

Thanks,

Randy


"To succeed in the world, it is not enough to be stupid,
  you must also be well-mannered."
  • Voltaire ---

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Tue May 13 18:31:55 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library