Hosting Provided By

Re: [Snort-users] Re: [Snort-devel] IDS vs IPS

From: Jeff Nathan <jeff(at)snort.org>
Date: Sat Aug 30 2003 - 21:08:44 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

In 2003 commercially ready has come to mean that a product contains an acceptable number of flaws. There are a few analysts out there who I have faith in (Greg Shipley to name one), but by and large let's not give analysts too much credit. There are plenty of security product companies whose products are designed by marketing organizations whose members have neither worked in operational security nor attempted to penetrate a system.

Yes, Brian Reid and the others credited with inventing the firewall at DEC WRL did an impressive job at the time. Just as the IDS efforts at SRI and LLNL in the 1980s were impressive. It's now 2003 and time doesn't stand still.

Hartmeier's PF *IS* good firewall code. Were we to compare the quality of the underlying code it's as good or better than the work at WRL. Were we to compare its features to those the WRL firewall it's no contest; the level of completeness is an order of magnitude higher. http://www.benzedrine.cx/pf.html (this site appears to be down at the moment).

IPS is a made up term. It's nonexistent. It's marketing voodoo. It's nondescript and just like other forms of language that have permeated the English language as a result of political correctness and the haphazard nature of people working in marketing organizations to pull buzzwords out of thin air, it reduces the specificity of the topic at hand.

IPS might describe any number of concepts. After all, what does intrusion prevention REALLY mean? Are we talking about preventing execution of CPU instructions? Preventing network data containing malicious data from being allowed to reach an end host? Obviously the marketing folks are going to try to spin this in dozens of ways but I'm not ready to let them have their way when it comes to destroying the specificity of language.

As it relates to computer networks, IPS would have to be gateway intrusion detection (aka in-line intrusion detection). Indeed, if a firewall vendor thinks they're moving into this space I'd love to hear about their design and implementation. Also, if a company is moving into this space exclusively I'd love to hear about their technology.

Do you need help?

As each security company tries to get their hand in the proverbial cookie jar we're going to see more and more products touting their IPS features. Taken literally, they might be right. However, this lack of linguistic specificity moves the state of security back several years rather than propel it forward. Much like NIDS vendors played the game of counting how many signatures they had before CVE was created, every security company is going to tout their IPS features until a common definition is agreed upon.

I'll put my stock in industry analysts such as the folks over at Gartner when they stop producing research reports whose data was gathered by making phone calls to company executives rather than empirical analysis. That's right, folks. That much touted Gartner report was exposed not all that long ago when they were questioned directly about the source of their information. As the story goes, they admitted (in a room full of people) to having simply made phone calls.

I look forward to my beer. :)

Take care,

-Jeff

On Saturday, August 30, 2003, at 05:43 PM, Mark Teicher wrote:

> Jeff,
>
> Rather impressive does not mean it is commercial ready.
> Commercial Ready means it meets or exceeds he criteria of the
> definition of the Industry Analysts and can be reviewed by the people
> who do those rather large network type bake-offs of products and
> barely understand how the technology works except click "Setup.exe"
> and pray the Installshield doesn't barf on their system which most
> likely doesn't meet the vendors stated minimum requirements. How
> about db's?? How many of the IPS vendors require MSSQL as their
> databse of choice??
> If the IPS vendors require MS SQL as their database backend, that
> means the IPS management console can't handle an enterprise type
> organization without having massive horsepower and some sort of
> distributed console management technology underlying it. How many of
> the industry reviewers actually review that type of scenario.. ??
>
> I might not even have to take off my shoes to count. Oh better yet,
> let me get out my abacus..
>
> [/standing on soapbox]
>
> Back to my original ranting, GOOD firewall code hasn't been produced
> in years..In fact, if someone could dig up Wei Xu, Peter Churchill or
> Brian Reid.. I am sure they could tell you stories about GOOD firewall
> code, proxy code and the crud they had to put up with.
>
> You know there are still Digital Equipment Corporation Firewalls in
> place at a major bank in NY/NJ area.. (DECSeal at least 20 of them by
> my last count).. the technology is 10 years old, and no one has broken
> into them.. Go figure that one out.. no IDS, no IPS.. Actually in
> fact, I can also name a few other companies that still have Gauntlet
> firewalls in place..
>
> Was it GOOD firewall code, who knows, but the fact remains, IPS
> technology is still in its infancy, while Firewalls have been around
> for almost 15 years, and IDS technology, although not fully matured
> over 5 years.
> IPS is less than 30 months old, and everyone single marketing person
> expels "IPS is the future, firewalls and IDS are dead" OK, marketing
> people, speak up and tell us who the pure IPS vendors are, not
> firewall and IDS vendors trying to re-define their space and get some
> marketing mojo going..
>
> I even cc;ed a marketing person on the list so that they can respond
> to the hype and defend themselves in this little thread.. C'mon give
> us the marketing hype and story.. Anyone else from other vendors
> marketing department listening/reading.. ??
>
> [/slipping off soapbox...]
>
> argghhhh, I have fallen underneath the IPS hype and need call the
> nearest IPS marketing person to get up...
>
> P.S. Does this mean I am back to my full lunancy of ranting and
> raving, not quite sure, but it is fun to be alive again.. Jeff N and
> Gary C, I owe you two a beer..
>
> /cheers
>
> /mark
>
> At 06:02 PM 8/30/2003, Jeff Nathan wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----

-- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/UUqkEqr8+Gkj0/0RAn/sAKCWCa6tyPlQHJM7JPb4V83wKuJdpQCeIMy8 7GW4yRWGtMPlf07BO9Lc6HY=
=lQmh
-----END PGP SIGNATURE-----

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sat Aug 30 21:13:34 2003

This message: [ Message body ]
Next message: Bob Walder: "RE: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Previous message: Jeff Nathan: "Re: [Snort-devel] IDS vs IPS"
In reply to: Mark Teicher: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
In reply to pieter claassen: "Re: [Snort-devel] IDS vs IPS"
Next in thread: Mark Teicher: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Reply: Mark Teicher: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Reply: Gary Flynn: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Reply: Bob Walder: "RE: [Snort-users] Re: [Snort-devel] IDS vs IPS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT

Do you need more help?