[Snort-users] Re: [Snort-devel] IDS vs IPS

Bob Walder bwalder at ...1455...
Tue Sep 2 05:43:48 EDT 2003


At last.... A voice of sanity and reason

However, I will take issue with one part of your reply - why do we have
to abandon the term at all? It has been grabbed - for better or worse -
by a particular group of vendors to refer to a particular group of
products. And I don't think the term is that wide of the mark. If you
are going to get all precious about it, why not decide that IDS is not a
good term, is marketing fluff, because it should really be
ICDSIBMNAOTASOTOIDDMBFP (I Can Detect Some Intrusions But Not All Of
Them And Some Of The Ones I Do Detect Might Be False Positives)... Not
as catchy though, is it?

We are getting into the realms of The European Community and its
ridiculous assertions that bananas should be straight and The Brits are
no longer allowed to call their ice cream "ice cream" 'cos there is
actually no cream in it - instead it should be known as Non Fat Dairy
Substitute or some other similar ridiculous term.

So, now we have IDS (or NIDS), and HIDS, and IPS (or NIPS) and HIPS...
And we have firewalls, of course... And routers... And ACLs... And
everyone knows what all these things do (and all of them could be said
to have elements of "intrusion detection" and "intrusion prevention" in
them if we look hard enough). So get over it.

When we finally DO get our wonderful converged product which everyone is
waiting for and which is the best of the firewall/IDS/IPS world with
built in anti virus checker, content scanner and coffer maker, then you
can call it the All Singing All Dancing Gateway Security Appliance - or
the Firewall Intrusion Detection and Prevention Appliance - or whatever
other marketing term you like. 

And then we can all argue about that one for weeks on end because
someone decides it can't be all singing and all dancing unless it has a
CD player in it and comes with a free pair of tap shoes.



>> -----Original Message-----
>> From: Frank Knobbe [mailto:frank at ...2134...] 
>> Sent: 01 September 2003 18:37
>> To: Mark Teicher
>> Cc: Jeff Nathan; Jason Sheffield; Crumrine Gary L; Jason; 
>> bwalder at ...1455...; Vkmobile at ...2112...; 
>> snort-devel at lists.sourceforge.net; 
>> snort-users at lists.sourceforge.net; jon.brody at ...2152...; 
>> cklaus at ...2153...
>> Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
>> I'll cut down to gist of it...
>> On Sun, 2003-08-31 at 10:32, Mark Teicher wrote:
>> > Jeff said:
>> > As it relates to computer networks, IPS would have to be gateway 
>> > intrusion
>> > detection (aka in-line intrusion detection).  Indeed, if a 
>> firewall vendor 
>> > thinks they're moving into this space I'd love to hear 
>> about their design 
>> > and implementation.  Also, if a company is moving into this space 
>> > exclusively I'd love to hear about their technology.
>> > 
>> > Mark said:
>> >  Another inline device.  Jeff, Are you stating that an enterprise
>> > organization should trust an IPS vendor by allowing to put their 
>> > hardware/software inline with their network connectivity, 
>> be it external or 
>> > internal??
>> I think this is a good example for the reason this 
>> discussion is going
>> nowhere. We should be debating what an IPS is from a technical
>> perspective. Instead we argue if they are good or bad, and 
>> how good, how
>> bad. We should leave personal opinion and qualitative 
>> statements out of
>> the discussion and focus on the definition.
>> Now we all agree that certain implementations are flawed while others
>> show promise. We understand that putting too much faith into 
>> a product
>> that sits inline, is a choke point, may not be a good idea. Other may
>> argue that firewalls do that so it's okay. Let's not get hung up on
>> those issues. Let's get back to the definition.
>> We also acknowledge that Intrusion Prevention System is mostly a
>> marketing term. Before the Prevention buzz word was thrown in, these
>> things were called Gateway IDS for lack of a better word. Today
>> Intrusion Prevention Systems include a wider variety than just GIDS.
>> HIPS comes to mind, so I guess we would have to disect what 
>> a HIPS (Host
>> IPS) is and what qualifies to deserve that name.
>> Theoretically *any* countermeasure could be called a 
>> Prevention system.
>> A hardened OS prevents intrusions. Are the Bastille scripts 
>> an IPS? Is
>> SecureIIS or similar wrappers an IPS?
>> Perhaps by discussion this down the right path we can show reasonably
>> well that the term is flawed, and perhaps through a 
>> collaborative paper
>> on the term of IPS we can convince the users/admins/buyers as well as
>> the vendors/market/industry to abandon use of that name...... Yeah, a
>> pipe dream.... but worth trying? If not, we don't even need to argue
>> here. Let's give our discussion a purpose or let it die.
>> Cheers,
>> Frank

More information about the Snort-devel mailing list