RE: Useful NADS

["Andrew Plato" <andrew.plato () anitian com>]

> IPSs simply can't be deployed everywhere. 
> How many organizations have you seen in which 
> an IPS is placed at every location in which a Cisco 
> router exists? NADS deployed with NetFlow gives the IT 
> admin the ability to virtually inspect traffic at MANY 
> locations throughout the network at once without the 
> need for expensive inline hardware.

> NADS is completely complementary to existing IPS technologies. 
> They operate in very different ways and solve a different kind of
problem.

Well, there are some IPSs that I would feel confident deploying
everywhere, but that gets into a sales pitch and I won't torture the
group with that. However, I agree that there are a lot of products being
marketed as an IPS that are not reliable enough to deploy at every
routing point.

The real reason IPS (or your product for that matter) cannot be deployed
everywhere is  because most organizations do not have an unlimited
supply of cash to spend on boxes filled with wires. If you know of any
that do have an unlimited supply of cash - by all means, send them my
way. I have plenty of boxes filled with wires I can sell them. 

Smart organizations, that practice good risk management, are looking to
reduce the maximum number of risks for the least expenditure of cash. As
such, YABOW (yet another box of wires) sitting on the network offering
the POSSIBILITY of risk reduction is not as valuable as YABOW that
offers ACTUAL risk reduction. 

Furthermore, network insight is only useful if you can DO something with
all that insight. I give a presentation called the Myths of Information
Security. Myth #6 is "Awareness is Not Security."  Being aware (or
insightful) about a problem doesn't mean the problem goes away. You have
to ACT on that. Without the ability to act, knowing there is a problem
just makes things miserable. Thus, when deploying YABOW, organizations
must be prepared to handle the data that comes from such a system.
Otherwise, no point in even having it. 

This is why I say NADS is a marginally interesting product. Mixed with
an IPS that can detect and block known attacks, then I can see the
value. But a stand-alone NADS probably isn't the best investment for
most organizations. It would be better to focus on a solid IPS product
or better VLAN ACLs. 

Now, that much said, I do not have a lot of experience with Lancope's
technologies. So, my opinions are not an attempt to discredit your
specific technology. I am not qualified to do that. Merely I am sharing
some high-level thoughts on the concept of NADS. 

And stop giggling at my NADS! 

_____________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 

 





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------