IDS mailing list archives
IDS thoughts
From: Randy Taylor <gnu () charm net>
Date: Tue, 13 May 2003 14:50:52 -0400
The recent debate on Polymorphic Shellcode Detection (PSD) illustrates something about the IDS field that isn't discussed often, if at all. IDS has made the transition from leading-edge space to commodity space. PSD is a good example. Every major IDS product on the market provides some form of PSD. It may be a partial or an exact match, but all of them will say something along the lines of, "there's something not right here - pay attention". Any enterprise with a good network security team either in-house or outsourced will start paying attention immediately. With that point established, the differentiation debate between IDS vendors has to shift to commodity-style arguments: "We have a better algorithm!", "We're faster!", "We're provide better ROI!", "Now with Boron! (tm)", etc. This is what was really at the heart of the recent discussion between representatives of IntruVert, ISS, and Enterasys on PSD. Fragrouter has done about everything that can be sanely done to a packet through Layer 4. Everything else that is happening is Layer 5 and above - most of that is a derivative of something that has gone down the wire before and in the main it's not even trying to hide. There's really not a whole lot else to be done in the IDS market except product improvements (code refinement,etc), signature maintenance, and keeping up with data rates. Oh, and press releases. So for the IDS consumer, which the majority of us on this list are, all that really matters is what has always mattered. Feature sets, GUI's, unit cost,usability/manageability, forensics, maintainability, a product's ability to integrate
with third-party tools, low false-positive and false-negative rates, etc. Little of what the vendor reps had to say about PSD had anything to do with that. If you go back and look at the posts by any vendor rep over the last year or two, it'll be the rare one that addresses a customer's standard issue set. So when you vendor guys start talking objectively about things IDS consumers like me really care about, I'll listen. I won't be holding my breath waiting. In the meantime, save your thinly veiled digs at each other for your marketeers. Thanks, Randy ----- "To succeed in the world, it is not enough to be stupid, you must also be well-mannered." -- Voltaire --- ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME?IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
Current thread:
- IDS thoughts Randy Taylor (May 13)
- Re: IDS thoughts Stephen P. Berry (May 14)
- Re: IDS thoughts Stefano Zanero (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Ramani Yellapragada (May 20)
- Re: IDS thoughts Lance Spitzner (May 21)
- Re: IDS thoughts Stefano Zanero (May 27)
- Re: IDS thoughts Bill Royds (May 21)
- Re: IDS thoughts Mike Frantzen (May 20)