Hosting Provided By

Re: [Snort-users] Re: [Snort-devel] IDS vs IPS

From: Mark Teicher <mht3(at)earthlink.net>
Date: Sun Aug 31 2003 - 11:32:46 EDT

<mht>

At 07:08 PM 8/30/2003, Jeff Nathan wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

In 2003 commercially ready has come to mean that a product contains an acceptable number of flaws. There are a few analysts out there who I have faith in (Greg Shipley to name one), but by and large let's not give analysts too much credit. There are plenty of security product companies whose products are designed by marketing organizations whose members have neither worked in operational security nor attempted to penetrate a system.

<mht> Acceptable number of flaws, that is whole another topic !!!
I know I have the recent copy of Consumer Reports around my house somewhere that actually states what the acceptable defect level for car manufacturers is. Let me boil it down in very simple terms. 1. Cars should not explode if hit it in rear. 2. Cars should stop when the brake is depressed within the specified number of feet it can safely stop in.
3. Cars should not automatically lurch forward when the car is put into gear .

Applying the same simple terms to your definition above Jeff. 1. Commercial ready products that contain an acceptable number of flaws should not BSOD consistently in an enterprise environment. 2. Commercial ready products that contain an acceptable number of flaws should not prevent a remote user from authenticating on a previously working VPN/PPTP client or corrupt the TCP/IP stack. 3. Commercial ready products that contain an acceptable number of flaws should not make the end user reboot several times in order to have a successful installation/de-installation of the product.

Do you need help?

Yes, Brian Reid and the others credited with inventing the firewall at DEC WRL did an impressive job at the time. Just as the IDS efforts at SRI and LLNL in the 1980s were impressive. It's now 2003 and time doesn't stand still.

<mht> DEC WRL, Digital Equipment Corporation, (DEC).. :)

Hartmeier's PF *IS* good firewall code. Were we to compare the quality of the underlying code it's as good or better than the work at WRL. Were we to compare its features to those the WRL firewall it's no contest; the level of completeness is an order of magnitude higher. http://www.benzedrine.cx/pf.html (this site appears to be down at the moment).

<mht> At that point in history, IBM, Digital Equipment desired to be a
"one-stop" shopping solution".. I think vendors are still attempting to be "one-stop shopping solution" but from the security product suite view. Marketing folks, listen carefully on my next point: "Security is a layered approach". It is not a "ONE SIZE FITS ALL".. :)

IPS is a made up term. It's nonexistent. It's marketing voodoo. It's nondescript and just like other forms of language that have permeated the English language as a result of political correctness and the haphazard nature of people working in marketing organizations to pull buzzwords out of thin air, it reduces the specificity of the topic at hand.

<mht> I agree, IPS is made up term, that allowed Okena to gobble up some
market share from the Centrally Managed Desktop Firewall/IDS space. The market segment Centrally Managed Desktop Firewall/IDS in my mind is also a made up term. Three entirely different technologies mashed into one. There are way to many variables that could affect each one of the technologies when deploying in a very large enterprise environment.

IPS might describe any number of concepts. After all, what does intrusion prevention REALLY mean? Are we talking about preventing execution of CPU instructions? Preventing network data containing malicious data from being allowed to reach an end host? Obviously the marketing folks are going to try to spin this in dozens of ways but I'm not ready to let them have their way when it comes to destroying the specificity of language.

<mht> I agree, I don't know what Intrusion PREVENTION really means. That
is why I started ranting and raving. The IPS products that I have played with, pounded on, turned the knobs, made the whistles blow, did not appear to have anomaly detection technology incorporated into it, and I have yet to see an IPS product that handles SAP or CRM applications without having some major issues.

Do you need more help?

As it relates to computer networks, IPS would have to be gateway intrusion detection (aka in-line intrusion detection). Indeed, if a firewall vendor thinks they're moving into this space I'd love to hear about their design and implementation. Also, if a company is moving into this space exclusively I'd love to hear about their technology.

<mht> Another inline device. Jeff, Are you stating that an enterprise
organization should trust an IPS vendor by allowing to put their hardware/software inline with their network connectivity, be it external or internal??
That sounds a bit dangerous to the Router vendors out there and to the IDS vendors. If that is the case, then it is a matter of who gets to analyze the traffic first. That is a scary thought.. For example, an enterprise now has to test their SAP, CRM application against a high speed router (ensure ACLs in place doesn't prevent traffic from getting in and out), against the inline IDS or the inline IPS to ensure application traffic is not doing something malicious.. That sounds a bit overwhelming, why would an organization want to risk not being able to do business as they deal with the vendor that is preventing them from conducting business. Vendors should really invest the time in INTEROPERABILITY testing, since you can only blame the other guy so many times or the organization's deployment of some operating system that is no longer supported by Microsoft. My final point, IPS vendors should really work on their beta programs with their customers. Identify good beta customers, grab a bunch of development engineers get a plan together, and interoperability test your product on an enterprise network before releasing the product. Ganymede network traffic only provides a good lab environment data set. That will avoid the it works in our QA environment statement by the IPS vendor. Interoperability testing is critical to an enterprise organization's deployment of a Centrally Managed Firewall/IDS product or IPS product (cringe)..

As each security company tries to get their hand in the proverbial cookie jar we're going to see more and more products touting their IPS features. Taken literally, they might be right. However, this lack of linguistic specificity moves the state of security back several years rather than propel it forward. Much like NIDS vendors played the game of counting how many signatures they had before CVE was created, every security company is going to tout their IPS features until a common definition is agreed upon.

<mht> I disagree, I am still waiting to receive an IPS feature list that
the word IPS can not be substituted for IDS. I also want to disagree with you again on your second point, the NIDS vendors who architected their IDS products on pattern matching played the game of how many signatures they had against each other. A majority of the NIDS vendors had the exact same signature but named it differently.. Even some of the Centrally Managed Desktop Firewall vendors play the same game. One exception, most of the Centrally Managed Desktop Firewall vendors check their Sn0rt import before releasing and validate the IDS signatures actually apply to their product.

I'll put my stock in industry analysts such as the folks over at Gartner when they stop producing research reports whose data was gathered by making phone calls to company executives rather than empirical analysis. That's right, folks. That much touted Gartner report was exposed not all that long ago when they were questioned directly about the source of their information.
As the story goes, they admitted (in a room full of people) to having simply made phone calls.

<mht> IDC analysts did something similiar in 1997, when they defined the
SoHo Firewall Appliance market. The information they received from the vendors at the time was the sales funnel information. The only vendors to survive the SoHo Appliance market where the little router vendors, and not the original players. I don't think I even remember the original SoHo Firewall Appliance players.

I look forward to my beer. :)

<mht> You might have to fly to Coor's country to get your beer, Gary, you too..

Can we help you?

Take care,

-Jeff

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Sep 2 08:51:26 2003

This message: [ Message body ]
Next message: Frank Knobbe: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Previous message: Sandro Poppi: "[Snort-devel] ANNOUNCE: New project site for Snort IDMEF plugin"
In reply to: Jeff Nathan: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Next in thread: Frank Knobbe: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Reply: Frank Knobbe: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
Reply: Gary Flynn: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT