Re: re[2]: Gateway IDS
From: Frank Knobbe (fknobbe@knobbeits.com)Date: 06/28/02
- Previous message: Craig H. Rowland: "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Christopher Cantrell: "re[2]: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Frank Knobbe <fknobbe@knobbeits.com> To: Christopher Cantrell <cantrell@onesecure.com> Date: 28 Jun 2002 00:05:54 -0500
On Thu, 2002-06-27 at 07:46, Christopher Cantrell wrote:
> >> While nice in concept, I doubt that these gateway IDS will find wide
> >> acceptance due to their latency. Signature sets are growing, protocols
> >> are added, but at the same time, bandwidth demand is increasing. I doubt
> >> GIDS will win that race...
>
> I think you have a great point about latency but it is interesting to hear you don't believe of wide acceptance due to latency. 5 years ago, some people thought this about firewalls and now it has become a critical component to the security of a network. The advancements in that technology proved not to impact performance. The advancements being made now in IDS technology (layer 2 and layer 3 support, high availability, load-balanced, STP, stateful (context-based) signatures, etc) all lead to products which can be integrated inline while providing packet processing "and" threat detection at speeds similar to firewalls today. With these rapid developments being made, I would argue there will be a mass mindset shift to implement inline over passive devices in the next 12 months.
hehe... I hope you are right. After all, I really could use a faster
computer (BTW: How about that slashdot article about the new hard drive
coating technology? 1 TB drive in my laptop? Heck yeah!)
The problem I see is that the signature sets are very dynamic and
growing. The growth counters performance. NIDs on ASICs seems a rather
static environment. This may be suitable for protocol analysis but not
signature detection. I'm aware that several vendors such as Cisco have
ASIC-NIDs (ANIDS?). While I have to admit that I haven't played with one
of those myself, the people I talk to that have don't seem too impressed
by their static nature. Yeah, I know, not every IDS can be as flexible
as Snort.... :)
The future of IDS will be interesting though. I hope that GIDS will
evolve, and I agree that an IDS like inspection of traffic will
eventually complement, if not supercede, stateful firewall protection.
But I doubt that will happen in 12 month.
Given what we have accomplished in regards to security over the last
decade, I'm not too optimistic about GIDS....
(sorry, just a glass-half-empty day... :)
Regards,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Craig H. Rowland: "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Christopher Cantrell: "re[2]: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
