Re: Changes in IDS Companies?

From: roy lo (
Date: 10/17/02

Date: Thu, 17 Oct 2002 00:52:53 -0500
From: roy lo <>
To: Chris Petersen <>

I think you have just point out an interesting point here. Is the "IPS"
part really usable??

A few month ago we had a discussion here regarding if man power can be
waver by having advance IDS (or something along that line) [correct me
if I'm wrong]
I think the conclusion we came to was that until the "AI" of that IDS is
advance enough, man power couldn't/can't be waver.

And "IPS" seems to be a good example of it. Like you(Chris) have point
out here, the IPS function will be turn off due to the fact that
false alarms will be too high for it to be consider "safe" to use.

So here is my questions to those of you, who works for those IDS vendors:
"What kinda of effort is spend on refining(or develop) the logic (AI)
part of the (IPS)IDS?"
"And how much of the hardware resource will be allocating to supporting
it? (An individual PU chip? or??)

Chris Petersen wrote:

>I think we need to be careful not to get too caught up in the hype of
>"intrusion prevention" which imo is 90% marketing, 10% reality. All
>commercial NIDS today provide some sort of intrusion prevention
>capability in the form of active response features such as shunning
>(reconfiguring firewall/router ACLs) and sniping (e.g., TCP resets) -
>they just don't sit in-line like Intruvert or Tipping Point. However,
>organizations are hesitant (or rather terrified) of enabling any of
>these aformentioned active response features for fear of
>blocking/terminating authorized traffic. Why??? IDS vendors have not
>been able to get false alarm/postive rates down to a level where
>organizations would trust an IDS alert to enforce network policy.
>Nothing I've seen or read from these new vendors gives me any reason to
>believe they have cured the cancer of IDS - false alarms/positives.
>Both Intruvert and Tipping Point rely on the same techniques to detect
>attack/misuse as non "IPS" systems do (e.g., Dragon, Snort, Realsecure)
>namely pattern matching (signatures) and protocol analysis (with a
>little secret anomaly detection sauce thrown in for good measure).
>Lancope isn't an IPS technology but rather a true anomaly-based IDS that
>from what I've seen looks very powerful in the hands of someone who
>really understands their network traffic - not familier with Vsecure and
>Intrusion prevention is definitely the goal and as IDS and firewall
>technologies begin to merge (e.g., Netscreen purchasing OneSecure,
>Symantec's gateway appliance) this is likely where it will end up - with
>one caveat - false alarms need to be reduced to such a neglible level
>that they can be trusted to enforce network policy just as a firewall
>does today. Imho, we have a few years to wait and pure IDS will still
>have a role (preventive vs. detective controls). In the meantime, I
>predict new "IPS" companies products will have false alarm/positive
>rates significantly higher than todays leading commercial products due
>to their limited field deployments causing their "IPS" features to be
>turned off - relagating them to nothing more than a simple "IDS", how
>Chris Petersen
>>-----Original Message-----
>>From: Avi Chesla []
>>Sent: Tuesday, October 15, 2002 4:46 AM
>>Cc: 'Samuel Cure'
>>Subject: RE: Changes in IDS Companies?
>>I totally agree with you. Next generation IDS ,also being
>>called Intrusion Prevention Systems or Perimeter Security
>>devices are the next step in the evolution of the Traditional
>>Intrusion Detection Systems. Vendors such as Intruvert,
>>Tipping point , Vsecure Technologies , Lancope, Forescout ,
>>TopLayer (Mitigator) etc, are example of some. All these
>>vendors claim to have an Intrusion Prevention Systems which
>>usually has some kinds of Adaptive capabilities, they do
>>behavioral and protocol analysis and do not based on attack
>>signature (most of them) , they sit in-line (most of them),
>>they mitigate attack without be depended in other products to
>>do the blocking...
>>Best Regards,
>>Avi Chesla
>>Director of Research
>>Vsecure Technoliges, Inc.
>>-----Original Message-----
>>From: Samuel Cure []
>>Sent: Monday, October 14, 2002 10:54 PM
>>Subject: Changes in IDS Companies?
>>Just noticing some changes with some known IDS companies and
>>wanted some feedback from the community. Because Marcus Ranum
>>left NFR earlier this year and Ron Gula has left Enterasys
>>Networks, I am questioning the future of some early-on IDS
>>companies. I mentioned some time ago that the IDS market will
>>eventually consolidate and it seems like things are moving in
>>that direction.
>>To further enforce my point, word on the street is
>>TippingPoint is now seeking for someone to buy them out. Does
>>anyone else have anything that could help validate this or
>>these types of trends in IDS companies?
>>Thanks in advance!
>>Samuel J. Cure
>>Security Specialist
>>NetPierce Security Services

Roy Lo  
Freelance Consultant 
E-mail -

Sun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA) Cisco Certified Network Associate (CCNA)