IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Tue, 11 Apr 2006 08:53:18 -0700
As I said to Alan: we all sell what we know. I sell what I know. You sell what you know. Commercial, open source, closed, open, lost, found, black, white - whatever. Organizations should pick the best solution for their environment. That much said, I realize it is pretty much high treason to speak badly of an open source product on the Internet. I have angered the Gods of Open Source before. This time is no different. An unanalyzed IDS/IPS isn't very useful. That is the core problem. Without analytical capability, the value and effectiveness of any security product is reduced. Many organizations have scant IT resources. As such, any technology that has significant resource requirements is usually passed over for those that can simplify security while extending the capability of a small IT staff. Nobody is arguing the technical merits of Snort, but its an established fact that it tends to be more resource intensive than its commercial partners. This is true of all open source products. They tend to be more "raw." That is why there are COMMERCIAL companies, like yours Eric and like SourceFire that have made Snort more palatable to enterprises. In this sense, you are no different than 3com, McAfee, ISS, etc. You're simply making a technology easier to use. Eric, you and Alan are no different than me. You're just hawking a different product. Doesn't matter if the sensor is Snort or Proventia. You sell what you know, I sell what I know. Furthermore, the "I can see a signature so its better" argument just doesn't fly at a lot of businesses. Again, most IT people do not have the time to analyze and write signatures. Just as companies outsource their PC manufacturing, phone centers, and Internet connection - they outsource their security protections. They trust a commercial vendor to handle this problem. I can't see that the jet fuel Delta puts in a plane, but I trust Delta to use real jet fuel. So, I can trust Delta with my life, but I can't trust ISS or McAfee to write a IPS signature? Yeah. Whatever. If you feel better seeing the signatures and their content, then by all means - get thee to a Snort box. But, for many IT groups, this just isn't a significant selling point. Ease of use, timeliness of new signatures and reliability are typically more important factors. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security -----Original Message----- From: Eric Hines [mailto:eric.hines () appliedwatch com] Sent: Monday, April 10, 2006 3:13 PM To: Alan Shimel Cc: Andrew Plato; 'Will Metcalf'; focus-ids () securityfocus com; Applied Watch Development; sales () appliedwatch com Subject: Re: IDS vs. IPS deployment feedback -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with Alan here. Andrew, I've watched several of your posts now over the past months and on several occasions bit my tongue, but I do have to step up here. You represent several COTS (Commercial off-the-shelf) IPS vendors and have admitted to, so please be careful when posturing them against open source tools such as Snort -- know what you're talking about when it comes to Snort's capabilities if you are going to make claims as to what its unable to do when compared to COTS solutions. _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS vs. IPS deployment feedback, (continued)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
- Re: IDS vs. IPS deployment feedback Thomas Choi (Apr 18)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 18)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Mike Barkett (Apr 13)
- Re: IDS vs. IPS deployment feedback Jason (Apr 13)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 11)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 13)
- RE: IDS vs. IPS deployment feedback Kyle Quest (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 15)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Apr 13)
- RE: IDS vs. IPS deployment feedback Gary Halleen (ghalleen) (Apr 13)
- Re: IDS vs. IPS deployment feedback Randal T. Rioux (Apr 18)
- Re: IDS vs. IPS deployment feedback Frank Knobbe (Apr 13)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Biswas, Proneet (Apr 15)