Re: IDS vs. IPS deployment feedback

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree with Alan here.

Andrew, I've watched several of your posts now over the past months and
on several occasions bit my tongue, but I do have to step up here. You
represent several COTS (Commercial off-the-shelf) IPS vendors and have
admitted to, so please be careful when posturing them against open
source tools such as Snort -- know what you're talking about when it
comes to Snort's capabilities if you are going to make claims as to what
its unable to do when compared to COTS solutions.

I agree that tailing snort alert files in an Enterprise is not exactly
the pretty GUI you get with ISS or Tipping Point. But thats after a
vanilla untar and compile. Their does exist commercial Snort management
solutions that offer polished GUIs for managing Snort rules and events,
such as ours, and Alan's as he noted.

Your point about Snort not having those commercial IPS capabilities is
plain wrong and shows that you know very little about the market and
commercial landscape and its adoption of Snort in the enterprise. Snort
is used by organizations with analysts that can translate HEX on the fly
and those who have no idea what HEX is. Its not just for packet monkeys
my friend. Large Fortune 5 organizations and a lot of large military and
defense networks will take a Snort sensor over a $30,000 COTS IDS/IPS
any day and have even see some organizations throw out commercial
solutions for open source Nessus or Snort. Its clear you just don't know
enough about open source adoption in the enterprise to make the
statement you made.

We have over 600 installations of our Snort management suite and a lot
of those organizations lack the "analytical capabilities" as you put it,
and still use Snort. Also, I beg to ask how it is you think a commercial
IPS capable of "filtering out known vulnerabilities offering a layer of
protection" is something Snort is unable to do. Your contrast  between
the two doesn't make sense.

If you are going to boast commercial IDS/IPS solutions on mailing lists
because you sell them, great, but be careful when choosing to say they
are better than Tom, Dick, or Harry when you have no idea if the reasons
you are citing are even true.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC


- ---------------------------------------------

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines () appliedwatch com

- --------------------------------------------

"Enterprise Open Source Security Management"


Alan Shimel wrote:
> Andrew
>
> While I can appreciate what you are saying, your own commercial position
> makes it difficult to put much weight behind what you are saying.  The sheer
> number of people using snort sensors would seem to indicate other than what
> you are saying.  Also, the many products that give pure, vanilla snort a
> polished commercial feel, are a fine match for many of the products you
> mention.  Our own freeware IPS, strata guard free
> (http://www.stillsecure.org), which is snort based, is a perfect example of
> this.  It probably does as good a job on the false positives as any of the
> "commercial" products you mention.
>
> It is a wide market out there!
>
> alan
>
>
>  
> StillSecure
> Alan Shimel 
> Chief Strategy Officer 
>
> O 303.381.3815
> C 516.857.7409
> F 303.381.3881
> email ashimel () stillsecure com
> blog http://ashimmy.typepad.com
>
> www.stillsecure.com
> The information transmitted is intended only for the person
> to whom it is addressed and may contain confidential material.
> Review or other use of this information by persons other than
> the intended recipient is prohibited. If you've received
> this in error, please contact the sender and delete
> from any computer.
>
> -----Original Message-----
> From: Andrew Plato [mailto:andrew.plato () anitian com] 
> Sent: Friday, April 07, 2006 12:05 PM
> To: Will Metcalf
> Cc: focus-ids () securityfocus com
> Subject: RE: IDS vs. IPS deployment feedback
>
> > I'm not saying that an IPS does not have value, I'm saying 
> > it should be part of an overall security strategy, not your 
> > end all solution for detecting and preventing intrusions, 
> > as  the view that it gives even the most novice analyst is 
> > far too narrow.
>
> Okay Will, here we agree. An IPS must be part of a larger security
> strategy. It cannot stand alone. I completely agree with that.
>
> However, I maintain my position that most businesses lack the analytical
> capabilities to deploy resource intensive technologies (like SNORT).
> Hence, commercial IPS that can filter off a set of known vulnerabilities
> reduces the overall workload and offers a layer of protection. Also, the
> majority of attacks in the wild are well-known and easily detected and
> blocked. 
>
> _____________________________________
> Andrew Plato, CISSP, CISM
> President/Principal Consultant
> ANITIAN ENTERPRISE SECURITY
>
> Your Expert Partner for Security & Networking
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> _____________________________________
>
> GPG public key available at: http://www.anitian.com/corp/keys.htm 
> _________________________________________________
> NOTICE:
> This email may contain confidential information, 
> and is for the sole use of the intended recipient.  
> If you are not the intended recipient, please reply 
> to the message and inform the sender of the error 
> and delete the email and any attachments from 
> your computer. 
> _________________________________________________
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEOth5bOqF2QHgUK0RAjJwAJ4hp73dl7HqF/l+GLTISuija/z0jACcCHl0
Ach8hqc0voP0raIxE57chJI=
=V+rl
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------