IDS mailing list archives
RE: Changes in IDS Companies?
From: Chris Petersen <chris () idsroi com>
Date: Thu, 17 Oct 2002 00:19:20 -0400
I think we need to be careful not to get too caught up in the hype of "intrusion prevention" which imo is 90% marketing, 10% reality. All commercial NIDS today provide some sort of intrusion prevention capability in the form of active response features such as shunning (reconfiguring firewall/router ACLs) and sniping (e.g., TCP resets) - they just don't sit in-line like Intruvert or Tipping Point. However, organizations are hesitant (or rather terrified) of enabling any of these aformentioned active response features for fear of blocking/terminating authorized traffic. Why??? IDS vendors have not been able to get false alarm/postive rates down to a level where organizations would trust an IDS alert to enforce network policy. Nothing I've seen or read from these new vendors gives me any reason to believe they have cured the cancer of IDS - false alarms/positives. Both Intruvert and Tipping Point rely on the same techniques to detect attack/misuse as non "IPS" systems do (e.g., Dragon, Snort, Realsecure) namely pattern matching (signatures) and protocol analysis (with a little secret anomaly detection sauce thrown in for good measure). Lancope isn't an IPS technology but rather a true anomaly-based IDS that from what I've seen looks very powerful in the hands of someone who really understands their network traffic - not familier with Vsecure and Forescout. Intrusion prevention is definitely the goal and as IDS and firewall technologies begin to merge (e.g., Netscreen purchasing OneSecure, Symantec's gateway appliance) this is likely where it will end up - with one caveat - false alarms need to be reduced to such a neglible level that they can be trusted to enforce network policy just as a firewall does today. Imho, we have a few years to wait and pure IDS will still have a role (preventive vs. detective controls). In the meantime, I predict new "IPS" companies products will have false alarm/positive rates significantly higher than todays leading commercial products due to their limited field deployments causing their "IPS" features to be turned off - relagating them to nothing more than a simple "IDS", how sad. Chris Petersen
-----Original Message----- From: Avi Chesla [mailto:avic () V-Secure com] Sent: Tuesday, October 15, 2002 4:46 AM To: focus-ids () securityfocus com Cc: 'Samuel Cure' Subject: RE: Changes in IDS Companies? I totally agree with you. Next generation IDS ,also being called Intrusion Prevention Systems or Perimeter Security devices are the next step in the evolution of the Traditional Intrusion Detection Systems. Vendors such as Intruvert, Tipping point , Vsecure Technologies , Lancope, Forescout , TopLayer (Mitigator) etc, are example of some. All these vendors claim to have an Intrusion Prevention Systems which usually has some kinds of Adaptive capabilities, they do behavioral and protocol analysis and do not based on attack signature (most of them) , they sit in-line (most of them), they mitigate attack without be depended in other products to do the blocking... Best Regards, Avi Chesla Director of Research Vsecure Technoliges, Inc. www.v-secure.com -----Original Message----- From: Samuel Cure [mailto:scure () netpierce net] Sent: Monday, October 14, 2002 10:54 PM To: focus-ids () securityfocus com Subject: Changes in IDS Companies? Just noticing some changes with some known IDS companies and wanted some feedback from the community. Because Marcus Ranum left NFR earlier this year and Ron Gula has left Enterasys Networks, I am questioning the future of some early-on IDS companies. I mentioned some time ago that the IDS market will eventually consolidate and it seems like things are moving in that direction. To further enforce my point, word on the street is TippingPoint is now seeking for someone to buy them out. Does anyone else have anything that could help validate this or these types of trends in IDS companies? Thanks in advance! ------------------- Samuel J. Cure Security Specialist NetPierce Security Services www.netpierce.net -------------------
Current thread:
- Changes in IDS Companies? Samuel Cure (Oct 14)
- <Possible follow-ups>
- RE: Changes in IDS Companies? Avi Chesla (Oct 15)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- Re: Changes in IDS Companies? scottw (Oct 16)
- Re: Changes in IDS Companies? Aaron Turner (Oct 16)
- RE: Changes in IDS Companies? Rob Shein (Oct 23)
- Re: Changes in IDS Companies? Aaron Turner (Oct 23)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- RE: Changes in IDS Companies? J. Foobar (Oct 16)
- RE: Changes in IDS Companies? Karl Lynn (Oct 16)
- RE: Changes in IDS Companies? Chris Petersen (Oct 16)
- Re: Changes in IDS Companies? roy lo (Oct 16)
- RE: Changes in IDS Companies? Oliver Petruzel (Oct 17)
- RE: Changes in IDS Companies? Mike Shaw (Oct 18)
- Re: Changes in IDS Companies? Frank Knobbe (Oct 18)
- Re: Changes in IDS Companies? Raistlin (Oct 31)
- Re: Changes in IDS Companies? Scott Wimer (Oct 31)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)