RE: IDS, IPS or just rubbish

["Andrew Plato" <aplato () anitian com>]

> Checkpoint are pushing this patch to NG FP3 FW-1 as 
> an all-in-one solution whereby you wouldn't need an 
> IDS as well as a firewall. In Hong Kong they have 
> over 70% of the firewall market - their market 
> penetration is similar worldwide - in order to 
> gain competitive advantage they are trying to 
> crush the IDS/IPS market. Maybe they've been 
> partying with Gartner.

They're just doing what a lot of vendors are. Retooling their products
to be competitive against IPS technologies. No harm in that. But, it
does sound like there is a lot of BS in this IPS pitch from them. 

> Their big push is that they are doing application-layer
> stuff now which anyone who knows firewalls will know is
> what Sidewinder, Gauntlet and Axent (Symantec) have been 
> doing for years. 

Actually, so has WatchGuard. I have come to LOVE the WatchGuard SMTP
proxy, because it can dump all nasty attachments and filter out some
spam. The fact that CP is claiming they were first does seem
disingenuous.

> They kept telling me about SQL Slammer and how this 
> solution will stop it. What utter crap. Can anyone
> on this list tell me of a signature-based IDS which 
> picked Slammer up in the 2-odd hours it needed to propogate? 

ISS RealSecure, Symantec ManHunt, NFR, and Cisco IDS all had signatures
on the day slammer hit. ISS had a signature about 3 months before
slammer. 

> There has been a lot of discussion here about the 
> future of IDS - I think I've seen Checkpoint's vision
> ....... Treat us all like fools. 
>
> Zero-day detection my ****. 

I think you're being a little harsh on IPS. Although from the sound of
it, CheckPoint's answer to IPS sounds kind of weak. 

I've had IPSs running in my network for 3 years, and they can be a real
asset when some new attack comes out. My Guard box does a very nice job
of killing all the Code Reds, and variants of it. Don't give up on IPS
yet. 

<sales> If you have time, give RealSecure Guard, TopLayer's Attack
Mititgator, or NAIs IntruVert a try. These are outstanding technologies
that really can offer significant improvement in stopping known and new
attacks. And they aren't some weak little add-on to another technology.
They're ground-up IPS technologies. </sales>

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

Enterprise Security &
Infrastructure Solutions
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
___________________________________

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------