[Snort-users] Re: [Snort-devel] IDS vs IPS

Mark Teicher mht3 at ...891...
Tue Sep 2 05:43:42 EDT 2003


At 07:08 PM 8/30/2003, Jeff Nathan wrote:

Hash: SHA1


In 2003 commercially ready has come to mean that a product contains an 
acceptable number of flaws.  There are a few analysts out there who I have 
faith in (Greg Shipley to name one), but by and large let's not give 
analysts too much credit.  There are plenty of security product companies 
whose products are designed by marketing organizations whose members have 
neither worked in operational security nor attempted to penetrate a system.

<mht> Acceptable number of flaws, that is whole another topic !!!
I know I have the recent copy of Consumer Reports around my house somewhere 
that actually states what the acceptable defect level for car manufacturers 
is.  Let me boil it down in very simple terms.
1. Cars should not explode if hit it in rear.
2. Cars should stop when the brake is depressed within the specified number 
of feet it can safely stop in.
3. Cars should not automatically lurch forward when the car is put into gear .

Applying the same simple terms to your definition above Jeff.
1. Commercial ready products that contain an acceptable number of flaws 
should not BSOD consistently in an enterprise environment.
2. Commercial ready products that contain an acceptable number of flaws 
should not prevent a remote user from authenticating on a previously 
working VPN/PPTP client or corrupt the TCP/IP stack.
3. Commercial ready products that contain an acceptable number of flaws 
should not make the end user reboot several times in order to have a 
successful installation/de-installation of the product.

Yes, Brian Reid and the others credited with inventing the firewall at DEC 
WRL did an impressive job at the time.  Just as the IDS efforts at SRI and 
LLNL in the 1980s were impressive.  It's now 2003 and time doesn't stand still.

<mht> DEC WRL, Digital Equipment Corporation, (DEC)..  :)

Hartmeier's PF *IS* good firewall code.  Were we to compare the quality of 
the underlying code it's as good or better than the work at WRL.
Were we to compare its features to those the WRL firewall it's no contest; 
the level of completeness is an order of magnitude higher. 
http://www.benzedrine.cx/pf.html (this site appears to be down at the moment).

<mht> At that point in history, IBM, Digital Equipment desired to be a 
"one-stop" shopping solution".. I think vendors are still attempting to be 
"one-stop shopping solution" but from the security product suite 
view.  Marketing folks, listen carefully on my next point:  "Security is a 
layered approach".  It is not a "ONE SIZE FITS ALL".. :)

IPS is a made up term.  It's nonexistent.  It's marketing voodoo.  It's 
nondescript and just like other forms of language that have permeated the 
English language as a result of political correctness and the haphazard 
nature of people working in marketing organizations to pull buzzwords out 
of thin air, it reduces the specificity of the topic at hand.

<mht> I agree, IPS is made up term, that allowed Okena to gobble up some 
market share from the Centrally Managed Desktop Firewall/IDS space.  The 
market segment Centrally Managed Desktop Firewall/IDS in my mind is also a 
made up term.  Three entirely different technologies mashed into 
one.  There are way to many variables that could affect each one of the 
technologies when deploying in a very large enterprise environment.

IPS might describe any number of concepts.  After all, what does intrusion 
prevention REALLY mean?  Are we talking about preventing execution of CPU 
instructions?  Preventing network data containing malicious data from being 
allowed to reach an end host?  Obviously the marketing folks are going to 
try to spin this in dozens of ways but I'm not ready to let them have their 
way when it comes to destroying the specificity of language.

<mht>  I agree, I don't know what Intrusion PREVENTION really means.  That 
is why I started ranting and raving.  The IPS products that I have played 
with, pounded on, turned the knobs, made the whistles blow, did not appear 
to have anomaly detection technology incorporated into it, and I have yet 
to see an IPS product that handles SAP or CRM applications without having 
some major issues.

As it relates to computer networks, IPS would have to be gateway intrusion 
detection (aka in-line intrusion detection).  Indeed, if a firewall vendor 
thinks they're moving into this space I'd love to hear about their design 
and implementation.  Also, if a company is moving into this space 
exclusively I'd love to hear about their technology.

<mht> Another inline device.  Jeff, Are you stating that an enterprise 
organization should trust an IPS vendor by allowing to put their 
hardware/software inline with their network connectivity, be it external or 
That sounds a bit dangerous to the Router vendors out there and to the IDS 
vendors.  If that is the case, then it is a matter of who gets to analyze 
the traffic first.  That is a scary thought..  For example, an enterprise 
now has to test their SAP, CRM application against a high speed router 
(ensure ACLs in place doesn't prevent traffic from getting in and out), 
against the inline IDS or the inline IPS to ensure application traffic is 
not doing something malicious.. That sounds a bit overwhelming, why would 
an organization want to risk not being able to do business as they deal 
with the vendor that is preventing them from conducting business.  Vendors 
should really invest the time in INTEROPERABILITY testing, since you can 
only blame the other guy so many times or the organization's deployment of 
some operating system that is no longer supported by Microsoft.
My final point, IPS vendors should really work on their beta programs with 
their customers.  Identify good beta customers, grab a bunch of development 
engineers get a plan together, and interoperability test your product on an 
enterprise network before releasing the product.  Ganymede network traffic 
only provides a good lab environment data set.
That will avoid the it works in our QA environment statement by the IPS 
vendor.  Interoperability testing is critical to an enterprise 
organization's deployment of a Centrally Managed Firewall/IDS product or 
IPS product (cringe)..

As each security company tries to get their hand in the proverbial cookie 
jar we're going to see more and more products touting their IPS 
features.  Taken literally, they might be right.  However, this lack of 
linguistic specificity moves the state of security back several years 
rather than propel it forward.  Much like NIDS vendors played the game of 
counting how many signatures they had before CVE was created, every 
security company is going to tout their IPS features until a common 
definition is agreed upon.

<mht> I disagree, I am still waiting to receive an IPS feature list that 
the word IPS can not be substituted for IDS.  I also want to disagree with 
you again on your second point, the NIDS vendors who architected their IDS 
products on pattern matching played the game of how many signatures they 
had against each other.  A majority of the NIDS vendors had the exact same 
signature but named it differently.. Even some of the Centrally Managed 
Desktop Firewall vendors play the same game.  One exception, most of the 
Centrally Managed Desktop Firewall vendors check their Sn0rt import before 
releasing and validate the IDS signatures actually apply to their product.

I'll put my stock in industry analysts such as the folks over at Gartner 
when they stop producing research reports whose data was gathered by making 
phone calls to company executives rather than empirical analysis.  That's 
right, folks.  That much touted Gartner report was exposed not all that 
long ago when they were questioned directly about the source of their 
As the story goes, they admitted (in a room full of people) to having 
simply made phone calls.

<mht>  IDC analysts did something similiar in 1997, when they defined the 
SoHo Firewall Appliance market. The information they received from the 
vendors at the time was the sales funnel information.  The only vendors to 
survive the SoHo Appliance market where the little router vendors, and not 
the original players.  I don't think I even remember the original SoHo 
Firewall Appliance players.

I look forward to my beer. :)

<mht> You might have to fly to Coor's country to get your beer, Gary, you too..


Take care,

- -Jeff

More information about the Snort-devel mailing list