RE: Changes in IDS Companies?

[Chris Petersen <chris () idsroi com>]

I think we need to be careful not to get too caught up in the hype of
"intrusion prevention" which imo is 90% marketing, 10% reality.  All
commercial NIDS today provide some sort of intrusion prevention
capability in the form of active response features such as shunning
(reconfiguring firewall/router ACLs) and sniping (e.g., TCP resets) -
they just don't sit in-line like Intruvert or Tipping Point.  However,
organizations are hesitant (or rather terrified) of enabling any of
these aformentioned active response features for fear of
blocking/terminating authorized traffic.  Why??? IDS vendors have not
been able to get false alarm/postive rates down to a level where
organizations would trust an IDS alert to enforce network policy.  

Nothing I've seen or read from these new vendors gives me any reason to
believe they have cured the cancer of IDS - false alarms/positives.
Both Intruvert and Tipping Point rely on the same techniques to detect
attack/misuse as non "IPS" systems do (e.g., Dragon, Snort, Realsecure)
namely pattern matching (signatures) and protocol analysis (with a
little secret anomaly detection sauce thrown in for good measure).
Lancope isn't an IPS technology but rather a true anomaly-based IDS that
from what I've seen looks very powerful in the hands of someone who
really understands their network traffic - not familier with Vsecure and
Forescout.  

Intrusion prevention is definitely the goal and as IDS and firewall
technologies begin to merge (e.g., Netscreen purchasing OneSecure,
Symantec's gateway appliance) this is likely where it will end up - with
one caveat - false alarms need to be reduced to such a neglible level
that they can be trusted to enforce network policy just as a firewall
does today.  Imho, we have a few years to wait and pure IDS will still
have a role (preventive vs. detective controls).  In the meantime, I
predict new "IPS" companies products will have false alarm/positive
rates significantly higher than todays leading commercial products due
to their limited field deployments causing their "IPS" features to be
turned off - relagating them to nothing more than a simple "IDS", how
sad.

Chris Petersen


> -----Original Message-----
> From: Avi Chesla [mailto:avic () V-Secure com] 
> Sent: Tuesday, October 15, 2002 4:46 AM
> To: focus-ids () securityfocus com
> Cc: 'Samuel Cure'
> Subject: RE: Changes in IDS Companies?
>
>
> I totally agree with you. Next generation IDS  ,also being 
> called Intrusion Prevention Systems or Perimeter Security 
> devices are the next step in the evolution of the Traditional 
> Intrusion Detection Systems. Vendors such as Intruvert, 
> Tipping point ,  Vsecure Technologies , Lancope, Forescout , 
> TopLayer (Mitigator) etc, are example of some. All these 
> vendors claim to have an Intrusion Prevention Systems which 
> usually has some kinds of Adaptive capabilities, they do 
> behavioral and protocol analysis and do not based on attack 
> signature (most of them) , they sit in-line (most of them), 
> they mitigate attack without be depended in other products to 
> do the blocking...
>
> Best Regards,
>
> Avi Chesla
> Director of Research
> Vsecure Technoliges, Inc.
> www.v-secure.com
>
> -----Original Message-----
> From: Samuel Cure [mailto:scure () netpierce net] 
> Sent: Monday, October 14, 2002 10:54 PM
> To: focus-ids () securityfocus com
> Subject: Changes in IDS Companies?
>
>
> Just noticing some changes with some known IDS companies and 
> wanted some feedback from the community. Because Marcus Ranum 
> left NFR earlier this year and Ron Gula has left Enterasys 
> Networks, I am questioning the future of some early-on IDS 
> companies. I mentioned some time ago that the IDS market will 
> eventually consolidate and it seems like things are moving in 
> that direction.
>
>
> To further enforce my point, word on the street is 
> TippingPoint is now seeking for someone to buy them out. Does 
> anyone else have anything that could help validate this or 
> these types of trends in IDS companies?
>
>
>
> Thanks in advance!
>
> -------------------
> Samuel J. Cure
> Security Specialist
> NetPierce Security Services
> www.netpierce.net
> -------------------