RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)

From: Don Parker (dparker_at_rigelksecurity.com)
Date: 02/27/04

  • Next message: Paul Robertson: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)" 
    To: "Marcus J. Ranum" <mjr@ranum.com>, "Stiennon,  Richard" <Richard.Stiennon@gartner.com>, "Ben Nagy" <ben@iagu.net>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 26 Feb 2004 18:00:19 -0500 (EST)

    Bleh! That was the normal tripe from Gartner with a poorly reserached article. It always
    does and always will come down to the person using the darn IDS/IPS bleh whatever. If
    you have an untrained person managing it then expect less than stellar results. (read
    here a river of false positives) If you have someone adminstering this unit who has a
    clue then you will have a propely functioning piece of technology. It amuses me to hear
    of all these so-called experts purge forth these pithy statements when they themselves
    are in severe need of a clue bag. There, I feel much better now.
     
    Cheers!
     
    Don
     
    -------------------------------------------
    Don Parker, GCIA
    Intrusion Detection Specialist
    Rigel Kent Security & Advisory Services Inc
    www.rigelksecurity.com
    ph :613.249.8340
    fax:613.249.8319
    --------------------------------------------
     
    On Feb 26, "Marcus J. Ranum" <mjr@ranum.com> wrote:
     
    Stiennon,Richard wrote:
    >Multiple methodologies to determine malicious intent. Usually includes signature,
    protocol anomaly, behavior and flow capabilities.
     
    And since we've got you here....
     
    Can you explain how these "signatures" and "protocol anomaly" detectors
    and "behavior and flow capabilities" are going to NOT suffer all the problems
    with false positives that caused Gartner to announce that IDS was a
    failure?
     
     From your own definition, it sounds like you at least understand that
    the functional mechanisms for detecting "malicious intent" are the
    same in an "IPS" as they are in an IDS. So if you guys at Gartner
    think IDS sucks because it can't do an accurate enough job of
    detecting "malicious intent" I'd love to hear how you think it's going
    to work better in an "IPS" when a false positive results in a dropped
    connection.
     
    I'm so glad you're monitoring this list - that way we can get the
    explanation straight from the horse's mouth, as it were...*
     
    mjr.
     
    (* With apologies to my horse P-nut who doesn't read this list.
    The expression "straight from the horse's mouth" means something
    entirely different once you've spent some time with equines. You
    should see what my white straw stetson looked like "straight from
    the horse's mouth" the time P-nut played 'fetch' and 'tag' with it)
     
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    <a href='http://honor.icsalabs.com/mailman/listinfo/firewall-wizards'>http://
    honor.icsalabs.com/mailman/listinfo/firewall-wizards</a>
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Robertson: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"