RE: Changes in IDS Companies?

From: Chris Petersen (chris@idsroi.com)
Date: 10/17/02 

Date: Thu, 17 Oct 2002 00:19:20 -0400
From: Chris Petersen <chris@idsroi.com>
To: 'Avi Chesla' <avic@V-Secure.com>, focus-ids@securityfocus.com

I think we need to be careful not to get too caught up in the hype of
"intrusion prevention" which imo is 90% marketing, 10% reality. All
commercial NIDS today provide some sort of intrusion prevention
capability in the form of active response features such as shunning
(reconfiguring firewall/router ACLs) and sniping (e.g., TCP resets) -
they just don't sit in-line like Intruvert or Tipping Point. However,
organizations are hesitant (or rather terrified) of enabling any of
these aformentioned active response features for fear of
blocking/terminating authorized traffic. Why??? IDS vendors have not
been able to get false alarm/postive rates down to a level where
organizations would trust an IDS alert to enforce network policy.

Nothing I've seen or read from these new vendors gives me any reason to
believe they have cured the cancer of IDS - false alarms/positives.
Both Intruvert and Tipping Point rely on the same techniques to detect
attack/misuse as non "IPS" systems do (e.g., Dragon, Snort, Realsecure)
namely pattern matching (signatures) and protocol analysis (with a
little secret anomaly detection sauce thrown in for good measure).
Lancope isn't an IPS technology but rather a true anomaly-based IDS that
from what I've seen looks very powerful in the hands of someone who
really understands their network traffic - not familier with Vsecure and
Forescout.

Intrusion prevention is definitely the goal and as IDS and firewall
technologies begin to merge (e.g., Netscreen purchasing OneSecure,
Symantec's gateway appliance) this is likely where it will end up - with
one caveat - false alarms need to be reduced to such a neglible level
that they can be trusted to enforce network policy just as a firewall
does today. Imho, we have a few years to wait and pure IDS will still
have a role (preventive vs. detective controls). In the meantime, I
predict new "IPS" companies products will have false alarm/positive
rates significantly higher than todays leading commercial products due
to their limited field deployments causing their "IPS" features to be
turned off - relagating them to nothing more than a simple "IDS", how
sad.

Chris Petersen

> -----Original Message-----
> From: Avi Chesla [mailto:avic@V-Secure.com]
> Sent: Tuesday, October 15, 2002 4:46 AM
> To: focus-ids@securityfocus.com
> Cc: 'Samuel Cure'
> Subject: RE: Changes in IDS Companies?
>
>
> I totally agree with you. Next generation IDS ,also being
> called Intrusion Prevention Systems or Perimeter Security
> devices are the next step in the evolution of the Traditional
> Intrusion Detection Systems. Vendors such as Intruvert,
> Tipping point , Vsecure Technologies , Lancope, Forescout ,
> TopLayer (Mitigator) etc, are example of some. All these
> vendors claim to have an Intrusion Prevention Systems which
> usually has some kinds of Adaptive capabilities, they do
> behavioral and protocol analysis and do not based on attack
> signature (most of them) , they sit in-line (most of them),
> they mitigate attack without be depended in other products to
> do the blocking...
>
> Best Regards,
>
> Avi Chesla
> Director of Research
> Vsecure Technoliges, Inc.
> www.v-secure.com
>
> -----Original Message-----
> From: Samuel Cure [mailto:scure@netpierce.net]
> Sent: Monday, October 14, 2002 10:54 PM
> To: focus-ids@securityfocus.com
> Subject: Changes in IDS Companies?
>
>
> Just noticing some changes with some known IDS companies and
> wanted some feedback from the community. Because Marcus Ranum
> left NFR earlier this year and Ron Gula has left Enterasys
> Networks, I am questioning the future of some early-on IDS
> companies. I mentioned some time ago that the IDS market will
> eventually consolidate and it seems like things are moving in
> that direction.
>
>
> To further enforce my point, word on the street is
> TippingPoint is now seeking for someone to buy them out. Does
> anyone else have anything that could help validate this or
> these types of trends in IDS companies?
>
>
>
> Thanks in advance!
>
> -------------------
> Samuel J. Cure
> Security Specialist
> NetPierce Security Services
> www.netpierce.net
> -------------------
>
>

Relevant Pages

  • RE: Changes in IDS Companies?
    ... The IPS systems MUST be placed at the host. ... Subject: Changes in IDS Companies? ... >"intrusion prevention" which imo is 90% marketing, ... >organizations would trust an IDS alert to enforce network policy. ...
    (Focus-IDS)
  • Re: Changes in IDS Companies?
    ... I think the conclusion we came to was that until the "AI" of that IDS is ... And "IPS" seems to be a good example of it. ... >"intrusion prevention" which imo is 90% marketing, ... >organizations would trust an IDS alert to enforce network policy. ...
    (Focus-IDS)
  • Re: [fw-wiz] Corporate H/N IPS
    ... >but using IDS techniques to block an attack. ... EXACTLY like a firewall, only they look at higher level aplication ... A HIPS will block an attack aimed at the Host upon which it is ... finer-grained intrusion prevention (such as Type Enforcement access ...
    (Firewall-Wizards)
  • Re: Host Based IDS Recommendations?
    ... > I would like to find out for Windows boxes if there are any ... > recommendations for Host based IDS, i know that for unix there is AIDE, ... what are the usual suspects for host based IDS ... "Intrusion Prevention technology such as TRUSHIELD™ is designed to not only ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... product which works with multiple security devices within the network like ... Not to say its a bad idea or anything but get the IDS down right then lets talk ... >> All these vendors claim to have an Intrusion ... >> Subject: Changes in IDS Companies? ...
    (Focus-IDS)