funsec mailing list archives
IDS a STUPID technology
From: "Hubbard, Dan" <dhubbard () websense com>
Date: Tue, 11 Oct 2005 14:10:19 -0700
My fingers are too sore to get involved in this one. However since this is the Funsec list I would highly recommend that people here purchase the following: From: http://www.threatchaos.com/ {Stiennon Blog} "More speaking engagements I noticed that no one bought the Stiennon Fall '05 Road Show t-shirts. What's up with that???" Link to the T-shirts if you want one: http://www.cafepress.com/threatchaos.31098982 Shirly, someone who has their own tshirts with their picture cant be wrong ! PS: Don't call me Shirly. -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Kyle Quest Sent: Tuesday, October 11, 2005 1:53 PM To: FunSec [List] Subject: RE: [funsec] so, is I[dp]S a STUPID technology? I would have to agree with Paul Schmehl... Ok, let's start with the statement that Ridgely Evers makes and Richard Stiennon seconds along with Aviram Jenik: "IDS - that has got to be one of the stupidest technology ideas of all time." I don't know who Aviram Jenik is and I don't know about his background, so it's a bit hard to make a proper judgment. However, let's look at who Ridgely Evers and Richard Stiennon are. Do they really know what they are talking about? Are they really qualified to make a statement like that? I claim that they are not. They are business types that deal with the security technology at a very high level without true understand of its capabilities and limitations. There's a good chance they don't really understand what IDS technology is for. That's where Aviram joins these two guys as well when he says, 'I heard Richard say on more than one occasion "IDS is dead", and almost hugged him for it.' The phrase "IDS is dead" was popularized by the Gartner Group when the IPS technology started to emerge. That statement is really WRONG to begin with because the IPS technology is NOT A REPLACEMENT for the IDS technology. The goal of the IDS technology is to collect as much forensics information as possible... before, during, and after malicious/unauthorized activity takes place while the IPS technology is suppose to block malicious/unauthorized activity once it's detected. Anyways, going back to the main statement about IDS... saying that the IDS technology is one of the stupidest technology ideas of all time is plain silly just because it's not %100 effective. Nothing (and I repeat... NOTHING) in this world is %100 effective. Just because one technology is not %100 effective doesn't mean it's useless or stupid. Paul Schmehl said it perfectly... "*No* technology can solve *every* problem". That also applies not only to technology, but to any kind of solution that deals with any kind of problem. Let's imagine two worlds where in one IDS/IPS technologies exists and another where they don't. If you had to choose one of those worlds which one would you choose? As somebody who deals with IPS technology I also want to comment on the following statement made by Aviram: 'don't talk to me about IPS, please. Most of the IPS's are just IDS with blocking capabilities which means no one ever puts them in 'blocking' mode by default. The rest are usually so sophisticated their "AI" engines can't even stop an nmap connect scan.' It shows that Aviram doesn't much about the IPS technology and what it's for and how to use it. There's no technology that you just turn on and it works perfectly. Different tools are used for different tasks. These tools often need to be properly configured for specific environments. What's bad in one environment might be normal traffic in another environment. The flexibility some of those systems provide is necessary because each environment is different and unfortunately this technology still needs smart people to configure it and operate it. I'm not saying that all IPS products are perfect. They are not, but they are still useful tools. The statement, "Most of the IPS's are just IDS with blocking capabilities which means no one ever puts them in 'blocking' mode by default", is simply not true. It's definitely not based on real world statistics. While it's true that pretty much most IPS products that use signature technology or even protocol misuse technology do have rules that are sometimes disabled or set to detect, the majority of the IPS rules are usually turned on. It is true that it's common to deploy IPS products in bypass/detect mode initially, but it's only the initial phase used to fine tune the system. The point I was trying to make is that... nothing is simple and there's no perfect solution for most of the problems in this world including security. However, the existence of tools that help in one way or another is definitely better than having nothing at all... Kyle _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- IDS a STUPID technology Hubbard, Dan (Oct 11)