IDS mailing list archives
Re: IDS vs. IPS deployment feedback
From: Eric Hines <eric.hines () appliedwatch com>
Date: Mon, 10 Apr 2006 17:13:13 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with Alan here. Andrew, I've watched several of your posts now over the past months and on several occasions bit my tongue, but I do have to step up here. You represent several COTS (Commercial off-the-shelf) IPS vendors and have admitted to, so please be careful when posturing them against open source tools such as Snort -- know what you're talking about when it comes to Snort's capabilities if you are going to make claims as to what its unable to do when compared to COTS solutions. I agree that tailing snort alert files in an Enterprise is not exactly the pretty GUI you get with ISS or Tipping Point. But thats after a vanilla untar and compile. Their does exist commercial Snort management solutions that offer polished GUIs for managing Snort rules and events, such as ours, and Alan's as he noted. Your point about Snort not having those commercial IPS capabilities is plain wrong and shows that you know very little about the market and commercial landscape and its adoption of Snort in the enterprise. Snort is used by organizations with analysts that can translate HEX on the fly and those who have no idea what HEX is. Its not just for packet monkeys my friend. Large Fortune 5 organizations and a lot of large military and defense networks will take a Snort sensor over a $30,000 COTS IDS/IPS any day and have even see some organizations throw out commercial solutions for open source Nessus or Snort. Its clear you just don't know enough about open source adoption in the enterprise to make the statement you made. We have over 600 installations of our Snort management suite and a lot of those organizations lack the "analytical capabilities" as you put it, and still use Snort. Also, I beg to ask how it is you think a commercial IPS capable of "filtering out known vulnerabilities offering a layer of protection" is something Snort is unable to do. Your contrast between the two doesn't make sense. If you are going to boast commercial IDS/IPS solutions on mailing lists because you sell them, great, but be careful when choosing to say they are better than Tom, Dick, or Harry when you have no idea if the reasons you are citing are even true. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eric.hines () appliedwatch com - -------------------------------------------- "Enterprise Open Source Security Management" Alan Shimel wrote:
Andrew While I can appreciate what you are saying, your own commercial position makes it difficult to put much weight behind what you are saying. The sheer number of people using snort sensors would seem to indicate other than what you are saying. Also, the many products that give pure, vanilla snort a polished commercial feel, are a fine match for many of the products you mention. Our own freeware IPS, strata guard free (http://www.stillsecure.org), which is snort based, is a perfect example of this. It probably does as good a job on the false positives as any of the "commercial" products you mention. It is a wide market out there! alan StillSecure Alan Shimel Chief Strategy Officer O 303.381.3815 C 516.857.7409 F 303.381.3881 email ashimel () stillsecure com blog http://ashimmy.typepad.com www.stillsecure.com The information transmitted is intended only for the person to whom it is addressed and may contain confidential material. Review or other use of this information by persons other than the intended recipient is prohibited. If you've received this in error, please contact the sender and delete from any computer. -----Original Message----- From: Andrew Plato [mailto:andrew.plato () anitian com] Sent: Friday, April 07, 2006 12:05 PM To: Will Metcalf Cc: focus-ids () securityfocus com Subject: RE: IDS vs. IPS deployment feedbackI'm not saying that an IPS does not have value, I'm saying it should be part of an overall security strategy, not your end all solution for detecting and preventing intrusions, as the view that it gives even the most novice analyst is far too narrow.Okay Will, here we agree. An IPS must be part of a larger security strategy. It cannot stand alone. I completely agree with that. However, I maintain my position that most businesses lack the analytical capabilities to deploy resource intensive technologies (like SNORT). Hence, commercial IPS that can filter off a set of known vulnerabilities reduces the overall workload and offers a layer of protection. Also, the majority of attacks in the wild are well-known and easily detected and blocked. _____________________________________ Andrew Plato, CISSP, CISM President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEOth5bOqF2QHgUK0RAjJwAJ4hp73dl7HqF/l+GLTISuija/z0jACcCHl0 Ach8hqc0voP0raIxE57chJI= =V+rl -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
- Re: IDS vs. IPS deployment feedback Thomas Choi (Apr 18)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 18)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)