[Snort-users] Re: [Snort-devel] IDS vs IPS

Jeff Nathan jeff at ...950...
Sat Aug 30 18:09:02 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

In 2003 commercially ready has come to mean that a product contains an 
acceptable number of flaws.  There are a few analysts out there who I 
have faith in (Greg Shipley to name one), but by and large let's not 
give analysts too much credit.  There are plenty of security product 
companies whose products are designed by marketing organizations whose 
members have neither worked in operational security nor attempted to 
penetrate a system.

Yes, Brian Reid and the others credited with inventing the firewall at 
DEC WRL did an impressive job at the time.  Just as the IDS efforts at 
SRI and LLNL in the 1980s were impressive.  It's now 2003 and time 
doesn't stand still.

Hartmeier's PF *IS* good firewall code.  Were we to compare the quality 
of the underlying code it's as good or better than the work at WRL.  
Were we to compare its features to those the WRL firewall it's no 
contest; the level of completeness is an order of magnitude higher. 
http://www.benzedrine.cx/pf.html (this site appears to be down at the 
moment).

IPS is a made up term.  It's nonexistent.  It's marketing voodoo.  It's 
nondescript and just like other forms of language that have permeated 
the English language as a result of political correctness and the 
haphazard nature of people working in marketing organizations to pull 
buzzwords out of thin air, it reduces the specificity of the topic at 
hand.

IPS might describe any number of concepts.  After all, what does 
intrusion prevention REALLY mean?  Are we talking about preventing 
execution of CPU instructions?  Preventing network data containing 
malicious data from being allowed to reach an end host?  Obviously the 
marketing folks are going to try to spin this in dozens of ways but I'm 
not ready to let them have their way when it comes to destroying the 
specificity of language.

As it relates to computer networks, IPS would have to be gateway 
intrusion detection (aka in-line intrusion detection).  Indeed, if a 
firewall vendor thinks they're moving into this space I'd love to hear 
about their design and implementation.  Also, if a company is moving 
into this space exclusively I'd love to hear about their technology.

As each security company tries to get their hand in the proverbial 
cookie jar we're going to see more and more products touting their IPS 
features.  Taken literally, they might be right.  However, this lack of 
linguistic specificity moves the state of security back several years 
rather than propel it forward.  Much like NIDS vendors played the game 
of counting how many signatures they had before CVE was created, every 
security company is going to tout their IPS features until a common 
definition is agreed upon.

I'll put my stock in industry analysts such as the folks over at 
Gartner when they stop producing research reports whose data was 
gathered by making phone calls to company executives rather than 
empirical analysis.  That's right, folks.  That much touted Gartner 
report was exposed not all that long ago when they were questioned 
directly about the source of their information.  As the story goes, 
they admitted (in a room full of people) to having simply made phone 
calls.

I look forward to my beer. :)

Take care,

- -Jeff

On Saturday, August 30, 2003, at 05:43 PM, Mark Teicher wrote:

> Jeff,
>
> Rather impressive does not mean it is commercial ready.
> Commercial Ready means it meets or exceeds he criteria of  the 
> definition of the Industry Analysts and can be reviewed by the people 
> who do those rather large network type bake-offs of products and 
> barely understand how the technology works except click "Setup.exe" 
> and pray the Installshield doesn't barf on their system which most 
> likely doesn't meet the vendors stated minimum requirements.  How 
> about db's?? How many of the IPS vendors require MSSQL as their 
> databse of choice??
>  If the IPS vendors require MS SQL as their database backend, that 
> means the IPS management console can't handle an enterprise type 
> organization without having massive horsepower and some sort of 
> distributed console management technology underlying it.  How many of 
> the industry reviewers actually review that type of scenario.. ??
>
> I might not even have to take off my shoes to count. Oh better yet, 
> let me get out my abacus..
>
> [/standing on soapbox]
>
> Back to my original ranting,  GOOD firewall code hasn't been produced 
> in years..In fact, if someone could dig up Wei Xu, Peter Churchill or 
> Brian Reid.. I am sure they could tell you stories about GOOD firewall 
> code, proxy code and the crud they had to put up with.
>
> You know there are still Digital Equipment Corporation Firewalls in 
> place at a major bank in NY/NJ area.. (DECSeal at least 20 of them by 
> my last count).. the technology is 10 years old, and no one has broken 
> into them.. Go figure that one out..  no IDS, no IPS.. Actually in 
> fact, I can also name a few other companies that still have Gauntlet 
> firewalls in place..
>
> Was it GOOD firewall code, who knows, but the fact remains, IPS 
> technology is still in its infancy, while Firewalls have been around 
> for almost 15 years, and IDS technology, although not fully matured 
> over 5 years.
>  IPS is less than 30 months old, and everyone single marketing person 
> expels "IPS is the future, firewalls and IDS are dead"  OK, marketing 
> people, speak up and tell us who the pure IPS vendors are, not 
> firewall and IDS vendors trying to re-define their space and get some 
> marketing mojo going..
>
> I even cc;ed a marketing person on the list so that they can respond 
> to the hype and defend themselves in this little thread.. C'mon give 
> us the marketing hype and story..  Anyone else from other vendors 
> marketing department listening/reading..  ??
>
> [/slipping off soapbox...]
>
> argghhhh, I have fallen underneath the IPS hype and need call the 
> nearest IPS marketing person to get up...
>
> P.S. Does this mean I am back to my full lunancy of ranting and 
> raving, not quite sure, but it is fun to be alive again.. Jeff N and 
> Gary C, I owe you two a beer..
>
> /cheers
>
> /mark
>
> At 06:02 PM 8/30/2003, Jeff Nathan wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Mark,
>>
>> not entirely true. Dan Hartmeier's packet filter is rather impressive.
>>
>> - -Jeff

- --
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/UUqkEqr8+Gkj0/0RAn/sAKCWCa6tyPlQHJM7JPb4V83wKuJdpQCeIMy8
7GW4yRWGtMPlf07BO9Lc6HY=
=lQmh
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list