funsec mailing list archives

Previous By Date Next
Previous By Thread Next

IDS a STUPID technology

From: "Hubbard, Dan" <dhubbard () websense com>
Date: Tue, 11 Oct 2005 14:10:19 -0700
My fingers are too sore to get involved in this one. However since this
is the Funsec list I would highly recommend that people here purchase
the following:

From: http://www.threatchaos.com/ {Stiennon Blog}

"More speaking engagements
I noticed that no one bought the Stiennon Fall '05 Road Show t-shirts.
What's up with that???"

Link to the T-shirts if you want one:

http://www.cafepress.com/threatchaos.31098982

Shirly, someone who has their own tshirts with their picture cant be
wrong ! PS: Don't call me Shirly.






 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Kyle Quest
Sent: Tuesday, October 11, 2005 1:53 PM
To: FunSec [List]
Subject: RE: [funsec] so, is I[dp]S a STUPID technology?

I would have to agree with Paul Schmehl...

Ok, let's start with the statement that Ridgely Evers makes and Richard
Stiennon seconds along with Aviram Jenik:

 "IDS - that has got to be one of the stupidest
  technology ideas of all time."

I don't know who Aviram Jenik is and I don't know about his background,
so it's a bit hard to make a proper judgment. However, let's look at who
Ridgely Evers and Richard Stiennon are. Do they really know what they
are talking about? Are they really qualified to make a statement like
that? I claim that they are not. They are business types that deal with
the security technology at a very high level without true understand of
its capabilities and limitations. There's a good chance they don't
really understand what IDS technology is for. That's where Aviram joins
these two guys as well when he says, 'I heard Richard say on more than
one occasion "IDS is dead",  and almost hugged him for it.'

The phrase "IDS is dead" was popularized by the Gartner Group when the
IPS technology started to emerge. That statement is really WRONG to
begin with because the IPS technology is NOT A REPLACEMENT for the IDS
technology. The goal of the IDS technology is to collect as much
forensics information as possible... before, during, and after
malicious/unauthorized activity takes place while the IPS technology is
suppose to block malicious/unauthorized activity once it's detected.

Anyways, going back to the main statement about IDS...
saying that the IDS technology is one of the stupidest technology ideas
of all time is plain silly just because it's not %100 effective. Nothing
(and I repeat... NOTHING) in this world is %100 effective. Just because
one technology is not %100 effective doesn't mean it's useless or
stupid.

Paul Schmehl said it perfectly... "*No* technology can solve
*every* problem". That also applies not only to technology, but to any
kind of solution that deals with any kind of problem.

Let's imagine two worlds where in one IDS/IPS technologies exists and
another where they don't. If you had to choose one of those worlds which
one would you choose?

As somebody who deals with IPS technology I also want to comment on the
following statement made by Aviram:

'don't talk to me about IPS, please. Most of the IPS's  are just IDS
with blocking capabilities which means  no one ever puts them in
'blocking' mode by default. 
 The rest are usually so sophisticated their "AI" 
 engines can't even stop an nmap connect scan.'

It shows that Aviram doesn't much about the IPS technology and what it's
for and how to use it.
There's no technology that you just
turn on and it works perfectly. Different tools are used for different
tasks. These tools often need to be properly configured for specific
environments.
What's bad in one environment might be normal traffic in another
environment. The flexibility some of those systems provide is necessary
because each environment is different and unfortunately this technology
still needs smart people to configure it and operate it. 

I'm not saying that all IPS products are perfect. They are not, but they
are still useful tools. 

The statement, "Most of the IPS's 
                are just IDS with blocking capabilities which means 
                no one ever puts them in 'blocking' mode by default", is
simply not true. It's definitely not based on real world statistics.
While it's true that pretty much most IPS products that use signature
technology or even protocol misuse technology do have rules that are
sometimes disabled or set to detect, the majority of the IPS rules are
usually turned on. It is true that it's common to deploy IPS products in
bypass/detect mode initially, but it's only the initial phase used to
fine tune the system.

The point I was trying to make is that... nothing is simple and there's
no perfect solution for most of the problems in this world including
security. However, the existence of tools that help in one way or
another is definitely better than having nothing at all...

Kyle


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: