[Snort-users] Re: [Snort-devel] IDS vs IPS
mht3 at ...891...
Tue Sep 2 05:43:42 EDT 2003
At 07:08 PM 8/30/2003, Jeff Nathan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
In 2003 commercially ready has come to mean that a product contains an
acceptable number of flaws. There are a few analysts out there who I have
faith in (Greg Shipley to name one), but by and large let's not give
analysts too much credit. There are plenty of security product companies
whose products are designed by marketing organizations whose members have
neither worked in operational security nor attempted to penetrate a system.
<mht> Acceptable number of flaws, that is whole another topic !!!
I know I have the recent copy of Consumer Reports around my house somewhere
that actually states what the acceptable defect level for car manufacturers
is. Let me boil it down in very simple terms.
1. Cars should not explode if hit it in rear.
2. Cars should stop when the brake is depressed within the specified number
of feet it can safely stop in.
3. Cars should not automatically lurch forward when the car is put into gear .
Applying the same simple terms to your definition above Jeff.
1. Commercial ready products that contain an acceptable number of flaws
should not BSOD consistently in an enterprise environment.
2. Commercial ready products that contain an acceptable number of flaws
should not prevent a remote user from authenticating on a previously
working VPN/PPTP client or corrupt the TCP/IP stack.
3. Commercial ready products that contain an acceptable number of flaws
should not make the end user reboot several times in order to have a
successful installation/de-installation of the product.
Yes, Brian Reid and the others credited with inventing the firewall at DEC
WRL did an impressive job at the time. Just as the IDS efforts at SRI and
LLNL in the 1980s were impressive. It's now 2003 and time doesn't stand still.
<mht> DEC WRL, Digital Equipment Corporation, (DEC).. :)
Hartmeier's PF *IS* good firewall code. Were we to compare the quality of
the underlying code it's as good or better than the work at WRL.
Were we to compare its features to those the WRL firewall it's no contest;
the level of completeness is an order of magnitude higher.
http://www.benzedrine.cx/pf.html (this site appears to be down at the moment).
<mht> At that point in history, IBM, Digital Equipment desired to be a
"one-stop" shopping solution".. I think vendors are still attempting to be
"one-stop shopping solution" but from the security product suite
view. Marketing folks, listen carefully on my next point: "Security is a
layered approach". It is not a "ONE SIZE FITS ALL".. :)
IPS is a made up term. It's nonexistent. It's marketing voodoo. It's
nondescript and just like other forms of language that have permeated the
English language as a result of political correctness and the haphazard
nature of people working in marketing organizations to pull buzzwords out
of thin air, it reduces the specificity of the topic at hand.
<mht> I agree, IPS is made up term, that allowed Okena to gobble up some
market share from the Centrally Managed Desktop Firewall/IDS space. The
market segment Centrally Managed Desktop Firewall/IDS in my mind is also a
made up term. Three entirely different technologies mashed into
one. There are way to many variables that could affect each one of the
technologies when deploying in a very large enterprise environment.
IPS might describe any number of concepts. After all, what does intrusion
prevention REALLY mean? Are we talking about preventing execution of CPU
instructions? Preventing network data containing malicious data from being
allowed to reach an end host? Obviously the marketing folks are going to
try to spin this in dozens of ways but I'm not ready to let them have their
way when it comes to destroying the specificity of language.
<mht> I agree, I don't know what Intrusion PREVENTION really means. That
is why I started ranting and raving. The IPS products that I have played
with, pounded on, turned the knobs, made the whistles blow, did not appear
to have anomaly detection technology incorporated into it, and I have yet
to see an IPS product that handles SAP or CRM applications without having
some major issues.
As it relates to computer networks, IPS would have to be gateway intrusion
detection (aka in-line intrusion detection). Indeed, if a firewall vendor
thinks they're moving into this space I'd love to hear about their design
and implementation. Also, if a company is moving into this space
exclusively I'd love to hear about their technology.
<mht> Another inline device. Jeff, Are you stating that an enterprise
organization should trust an IPS vendor by allowing to put their
hardware/software inline with their network connectivity, be it external or
That sounds a bit dangerous to the Router vendors out there and to the IDS
vendors. If that is the case, then it is a matter of who gets to analyze
the traffic first. That is a scary thought.. For example, an enterprise
now has to test their SAP, CRM application against a high speed router
(ensure ACLs in place doesn't prevent traffic from getting in and out),
against the inline IDS or the inline IPS to ensure application traffic is
not doing something malicious.. That sounds a bit overwhelming, why would
an organization want to risk not being able to do business as they deal
with the vendor that is preventing them from conducting business. Vendors
should really invest the time in INTEROPERABILITY testing, since you can
only blame the other guy so many times or the organization's deployment of
some operating system that is no longer supported by Microsoft.
My final point, IPS vendors should really work on their beta programs with
their customers. Identify good beta customers, grab a bunch of development
engineers get a plan together, and interoperability test your product on an
enterprise network before releasing the product. Ganymede network traffic
only provides a good lab environment data set.
That will avoid the it works in our QA environment statement by the IPS
vendor. Interoperability testing is critical to an enterprise
organization's deployment of a Centrally Managed Firewall/IDS product or
IPS product (cringe)..
As each security company tries to get their hand in the proverbial cookie
jar we're going to see more and more products touting their IPS
features. Taken literally, they might be right. However, this lack of
linguistic specificity moves the state of security back several years
rather than propel it forward. Much like NIDS vendors played the game of
counting how many signatures they had before CVE was created, every
security company is going to tout their IPS features until a common
definition is agreed upon.
<mht> I disagree, I am still waiting to receive an IPS feature list that
the word IPS can not be substituted for IDS. I also want to disagree with
you again on your second point, the NIDS vendors who architected their IDS
products on pattern matching played the game of how many signatures they
had against each other. A majority of the NIDS vendors had the exact same
signature but named it differently.. Even some of the Centrally Managed
Desktop Firewall vendors play the same game. One exception, most of the
Centrally Managed Desktop Firewall vendors check their Sn0rt import before
releasing and validate the IDS signatures actually apply to their product.
I'll put my stock in industry analysts such as the folks over at Gartner
when they stop producing research reports whose data was gathered by making
phone calls to company executives rather than empirical analysis. That's
right, folks. That much touted Gartner report was exposed not all that
long ago when they were questioned directly about the source of their
As the story goes, they admitted (in a room full of people) to having
simply made phone calls.
<mht> IDC analysts did something similiar in 1997, when they defined the
SoHo Firewall Appliance market. The information they received from the
vendors at the time was the sales funnel information. The only vendors to
survive the SoHo Appliance market where the little router vendors, and not
the original players. I don't think I even remember the original SoHo
Firewall Appliance players.
I look forward to my beer. :)
<mht> You might have to fly to Coor's country to get your beer, Gary, you too..
More information about the Snort-devel