[Snort-users] Re: [Snort-devel] IDS vs IPS

Mark Teicher mht3 at ...891...
Tue Sep 2 05:43:37 EDT 2003


Rather impressive does not mean it is commercial ready.
Commercial Ready means it meets or exceeds he criteria of  the definition 
of the Industry Analysts and can be reviewed by the people who do those 
rather large network type bake-offs of products and barely understand how 
the technology works except click "Setup.exe" and pray the Installshield 
doesn't barf on their system which most likely doesn't meet the vendors 
stated minimum requirements.  How about db's?? How many of the IPS vendors 
require MSSQL as their databse of choice??
  If the IPS vendors require MS SQL as their database backend, that means 
the IPS management console can't handle an enterprise type organization 
without having massive horsepower and some sort of distributed console 
management technology underlying it.  How many of the industry reviewers 
actually review that type of scenario.. ??

I might not even have to take off my shoes to count. Oh better yet, let me 
get out my abacus..

[/standing on soapbox]

Back to my original ranting,  GOOD firewall code hasn't been produced in 
years..In fact, if someone could dig up Wei Xu, Peter Churchill or Brian 
Reid.. I am sure they could tell you stories about GOOD firewall code, 
proxy code and the crud they had to put up with.

You know there are still Digital Equipment Corporation Firewalls in place 
at a major bank in NY/NJ area.. (DECSeal at least 20 of them by my last 
count).. the technology is 10 years old, and no one has broken into them.. 
Go figure that one out..  no IDS, no IPS.. Actually in fact, I can also 
name a few other companies that still have Gauntlet firewalls in place..

Was it GOOD firewall code, who knows, but the fact remains, IPS technology 
is still in its infancy, while Firewalls have been around for almost 15 
years, and IDS technology, although not fully matured over 5 years.
  IPS is less than 30 months old, and everyone single marketing person 
expels "IPS is the future, firewalls and IDS are dead"  OK, marketing 
people, speak up and tell us who the pure IPS vendors are, not firewall and 
IDS vendors trying to re-define their space and get some marketing mojo 

I even cc;ed a marketing person on the list so that they can respond to the 
hype and defend themselves in this little thread.. C'mon give us the 
marketing hype and story..  Anyone else from other vendors marketing 
department listening/reading..  ??

[/slipping off soapbox...]

argghhhh, I have fallen underneath the IPS hype and need call the nearest 
IPS marketing person to get up...

P.S. Does this mean I am back to my full lunancy of ranting and raving, not 
quite sure, but it is fun to be alive again.. Jeff N and Gary C, I owe you 
two a beer..



At 06:02 PM 8/30/2003, Jeff Nathan wrote:

>Hash: SHA1
>not entirely true. Dan Hartmeier's packet filter is rather impressive.
>- -Jeff
>On Wednesday, August 27, 2003, at 09:21 PM, Mark Teicher wrote:
>>I disagree, New IPS is not the natural evolution of the existing 
>>firewall, it is natural evolution of marketing hype. !!! Good firewall 
>>code just doesn't exist anymore, except for the Ultimate Firewall 
>>At 09:16 PM 8/27/2003, Jason wrote:
>>>Thanks, I think the matrix shows fairly well that the _new IPS_ is a 
>>>natural evolution of the existing firewall.
>>>This is important to point out because there are existing investments in 
>>>firewalls and these firewalls are rapidly closing the gap where needed. 
>>>I know that CP has been moving in this direction for a while. It has 
>>>also been my experience that they have been moving at an appropriate 
>>>pace and the capabilities have been there when I've needed them.
>>>One final statement. You do not need the firewall to log content if you 
>>>have an IDS that you can trust will not have a direct impact on the 
>>>business should it be too critical of the data.
>>>You can also have confidence in your firewall because your IDS verifies 
>>>what you told the firewall to do and covers your arse when you let 
>>>something by because of business requirements or a human error.
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:
>- --
>http://cerberus.sourcefire.com/~jeff       (gpg key available)
>"Problems cannot be solved at the same level of awareness that
>created them."  - Albert Einstein
>Version: GnuPG v1.2.2 (Darwin)

More information about the Snort-devel mailing list