Firewall Wizards mailing list archives
RE: INtrusion Detection
From: Gary Crumrine <gcrum () us-state gov>
Date: Thu, 19 Feb 1998 06:08:47 -0500
OK Tom, you have managed to poke holes in every product on the market...now how do you propose we fix the problems? The need is definitely there, no one will argue that...so what is a guy/girl to do? Are you suggesting that we go without anything? That even in the limited functionality presented by these products, that they should not be used at all? I disagree. Anything that enhances the security of someone's system is welcome, and adds value. Nothing is 100% safe. A determined, knowledgeable group can take out anything. I would think that any tool that does provide increased security is viable. Do they work in all cases? Nope Do they offer false security? Only to the unknowing. I think the IDS products we see on the market today represent where the Firewall industry was a few years ago. Look where that is now, multi billion dollar industry, and they still can not say that you are 100% safe. With the advent of the network appliance products coming to market these days, the deathknell is sounding. You are right in that some IDS advertisements do stretch the limit a bit, but no more than the claims by the firewall vendors. Pricing seems to indicate that they feel the products are right up there with firewalls. I believe in this so much, that I think you will see a big push for LEADING Firewall technology companies will begin to incorporate this functionality in their product as a way of marketing their product. The bottom line is that what ever you are talking about, be it firewall technology, or IDS systems, OS's whatever, it comes down to the person who is configuring the beast and whether they exercise due diligence in their work. These IDS products are nothing more than a tool to be used in a total threat management program. If you got the bucks to spend, I think the return on the investment is good. Thanks for the input My this thread just keeps going and going...I can't remember when we had such a long and intelligent discussion on a given subject without everything evolving into a mud slinging contest. Way to go people!!! -----Original Message----- From: tqbf () secnet com [SMTP:tqbf () secnet com] Sent: Wednesday, February 18, 1998 1:17 PM To: firewall-wizards () nfr net Subject: Re: INtrusion Detection
It was not until the SNI paper that some light was shed into the basic design flaws and vulnerabilities of network IDS's.
Actually, Vern Paxson's "Bro" paper (presented at Usenix, you can download at http://ftp.ee.lbl.gov/pspers/bro-usenix98-revised.ps.Z) beat us to the punch. For people more interested in how one could work around the IDS problems we discovered, Paxson's paper is more valuable than ours. Certainly both are well worth reading. =)
Before it every IDS vendor would claim their software was not vulnerable.
It would appear that you are not aware of what the vendors are claiming right now. What I have seen change since the release of our paper is that the vendors have invoked the all-powerful "nothing is 100% secure" clause, and ignored our work entirely (although I assume there are bugfixes planned at some time in the near future).
How can one recommend a product over another without having such information?
The magazines seem to get by fine with little or no knowledge of what it is they're evaluating. The easiest and most effective (for a magazine) way to evaluate security products is to rank them in order of advertising dollars spent. ------------------------------------------------------------------------ ----- Thomas H. Ptacek Secure Networks, Inc. ------------------------------------------------------------------------ ----- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: Practical Firewall Metrics, (continued)
- Re: Practical Firewall Metrics Marcus J. Ranum (Feb 20)
- Re: Practical Firewall Metrics Christopher Nicholls (Feb 24)
- Re: Practical Firewall Metrics Bennett Todd (Feb 20)
- Re: Practical Firewall Metrics Leonard Miyata (Feb 20)
- Re: Practical Firewall Metrics...Was: INtrusion Detection Bennett Todd (Feb 20)
- Re: INtrusion Detection tqbf (Feb 18)
- Re: INtrusion Detection Adam Shostack (Feb 18)
- Re: INtrusion Detection Vern Paxson (Feb 18)
- Re: INtrusion Detection Marcus J. Ranum (Feb 18)
- Re: INtrusion Detection tqbf (Feb 18)
- RE: INtrusion Detection Gary Crumrine (Feb 19)
- RE: INtrusion Detection Alfred Huger (Feb 19)
- Re: INtrusion Detection tqbf (Feb 19)
- Re: INtrusion Detection George M. Jones (Feb 20)
- Re: INtrusion Detection Alfred Huger (Feb 20)