[Snort-users] Re: [Snort-devel] IDS vs IPS
jeff at ...950...
Sat Aug 30 18:09:02 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
In 2003 commercially ready has come to mean that a product contains an
acceptable number of flaws. There are a few analysts out there who I
have faith in (Greg Shipley to name one), but by and large let's not
give analysts too much credit. There are plenty of security product
companies whose products are designed by marketing organizations whose
members have neither worked in operational security nor attempted to
penetrate a system.
Yes, Brian Reid and the others credited with inventing the firewall at
DEC WRL did an impressive job at the time. Just as the IDS efforts at
SRI and LLNL in the 1980s were impressive. It's now 2003 and time
doesn't stand still.
Hartmeier's PF *IS* good firewall code. Were we to compare the quality
of the underlying code it's as good or better than the work at WRL.
Were we to compare its features to those the WRL firewall it's no
contest; the level of completeness is an order of magnitude higher.
http://www.benzedrine.cx/pf.html (this site appears to be down at the
IPS is a made up term. It's nonexistent. It's marketing voodoo. It's
nondescript and just like other forms of language that have permeated
the English language as a result of political correctness and the
haphazard nature of people working in marketing organizations to pull
buzzwords out of thin air, it reduces the specificity of the topic at
IPS might describe any number of concepts. After all, what does
intrusion prevention REALLY mean? Are we talking about preventing
execution of CPU instructions? Preventing network data containing
malicious data from being allowed to reach an end host? Obviously the
marketing folks are going to try to spin this in dozens of ways but I'm
not ready to let them have their way when it comes to destroying the
specificity of language.
As it relates to computer networks, IPS would have to be gateway
intrusion detection (aka in-line intrusion detection). Indeed, if a
firewall vendor thinks they're moving into this space I'd love to hear
about their design and implementation. Also, if a company is moving
into this space exclusively I'd love to hear about their technology.
As each security company tries to get their hand in the proverbial
cookie jar we're going to see more and more products touting their IPS
features. Taken literally, they might be right. However, this lack of
linguistic specificity moves the state of security back several years
rather than propel it forward. Much like NIDS vendors played the game
of counting how many signatures they had before CVE was created, every
security company is going to tout their IPS features until a common
definition is agreed upon.
I'll put my stock in industry analysts such as the folks over at
Gartner when they stop producing research reports whose data was
gathered by making phone calls to company executives rather than
empirical analysis. That's right, folks. That much touted Gartner
report was exposed not all that long ago when they were questioned
directly about the source of their information. As the story goes,
they admitted (in a room full of people) to having simply made phone
I look forward to my beer. :)
On Saturday, August 30, 2003, at 05:43 PM, Mark Teicher wrote:
> Rather impressive does not mean it is commercial ready.
> Commercial Ready means it meets or exceeds he criteria of the
> definition of the Industry Analysts and can be reviewed by the people
> who do those rather large network type bake-offs of products and
> barely understand how the technology works except click "Setup.exe"
> and pray the Installshield doesn't barf on their system which most
> likely doesn't meet the vendors stated minimum requirements. How
> about db's?? How many of the IPS vendors require MSSQL as their
> databse of choice??
> If the IPS vendors require MS SQL as their database backend, that
> means the IPS management console can't handle an enterprise type
> organization without having massive horsepower and some sort of
> distributed console management technology underlying it. How many of
> the industry reviewers actually review that type of scenario.. ??
> I might not even have to take off my shoes to count. Oh better yet,
> let me get out my abacus..
> [/standing on soapbox]
> Back to my original ranting, GOOD firewall code hasn't been produced
> in years..In fact, if someone could dig up Wei Xu, Peter Churchill or
> Brian Reid.. I am sure they could tell you stories about GOOD firewall
> code, proxy code and the crud they had to put up with.
> You know there are still Digital Equipment Corporation Firewalls in
> place at a major bank in NY/NJ area.. (DECSeal at least 20 of them by
> my last count).. the technology is 10 years old, and no one has broken
> into them.. Go figure that one out.. no IDS, no IPS.. Actually in
> fact, I can also name a few other companies that still have Gauntlet
> firewalls in place..
> Was it GOOD firewall code, who knows, but the fact remains, IPS
> technology is still in its infancy, while Firewalls have been around
> for almost 15 years, and IDS technology, although not fully matured
> over 5 years.
> IPS is less than 30 months old, and everyone single marketing person
> expels "IPS is the future, firewalls and IDS are dead" OK, marketing
> people, speak up and tell us who the pure IPS vendors are, not
> firewall and IDS vendors trying to re-define their space and get some
> marketing mojo going..
> I even cc;ed a marketing person on the list so that they can respond
> to the hype and defend themselves in this little thread.. C'mon give
> us the marketing hype and story.. Anyone else from other vendors
> marketing department listening/reading.. ??
> [/slipping off soapbox...]
> argghhhh, I have fallen underneath the IPS hype and need call the
> nearest IPS marketing person to get up...
> P.S. Does this mean I am back to my full lunancy of ranting and
> raving, not quite sure, but it is fun to be alive again.. Jeff N and
> Gary C, I owe you two a beer..
> At 06:02 PM 8/30/2003, Jeff Nathan wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> not entirely true. Dan Hartmeier's packet filter is rather impressive.
>> - -Jeff
Top security experts. Cutting edge tools, techniques and information.
Tokyo, Japan November, 2003 http://www.pacsec.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users