RE: Changes in IDS Companies?

From: Oliver Petruzel (
Date: 10/17/02

From: "Oliver Petruzel" <>
To: "'roy lo'" <>, "'Chris Petersen'" <>
Date: Thu, 17 Oct 2002 13:02:45 -0400

One problem that I'm seeing is a lack of understanding of IPS and its
true definition. IMNSHO, there must always be the 'H', as in 'HIPS'.

There can not be an "inline", or NIPS, which will be very effective, due
to encryption on the wire. The IPS systems MUST be placed at the host.
Anything else is truly just old NIDS technology sending traps on
"obvious" attacks.

Only at the host can "unknown" or encypted attacks be EFFECTIVELY
detected and stopped. Unless you combine a NIPS box with a VPN, and
that becomes a network speedbump of the highest order, and still does
nothing for ALL encryption. At the host, a HIPS such as Okena or
Entercept would have been much more effective if included by default in
.NET server, than say, the personal firewall... This holds true for all
OS. I cant believe none of the big OS software folks have moved on this
to date.

I do believe we had this EXACT same conversation on this same list more
than 12 months ago. I believe I had to point out the exact same faults
in NIPS ideas then...perhaps I will get inspired and search the


-----Original Message-----
From: roy lo []
Sent: Thursday, October 17, 2002 1:53 AM
To: Chris Petersen
Cc: 'Avi Chesla';; 'Samuel Cure'
Subject: Re: Changes in IDS Companies?

I think you have just point out an interesting point here. Is the "IPS"
part really usable??

A few month ago we had a discussion here regarding if man power can be
waver by having advance IDS (or something along that line) [correct me
if I'm wrong]
I think the conclusion we came to was that until the "AI" of that IDS is

advance enough, man power couldn't/can't be waver.

And "IPS" seems to be a good example of it. Like you(Chris) have point
out here, the IPS function will be turn off due to the fact that false
alarms will be too high for it to be consider "safe" to use.

So here is my questions to those of you, who works for those IDS
vendors: "What kinda of effort is spend on refining(or develop) the
logic (AI)
part of the (IPS)IDS?"
"And how much of the hardware resource will be allocating to supporting
it? (An individual PU chip? or??)

Chris Petersen wrote:

>I think we need to be careful not to get too caught up in the hype of
>"intrusion prevention" which imo is 90% marketing, 10% reality. All
>commercial NIDS today provide some sort of intrusion prevention
>capability in the form of active response features such as shunning
>(reconfiguring firewall/router ACLs) and sniping (e.g., TCP resets) -
>they just don't sit in-line like Intruvert or Tipping Point. However,
>organizations are hesitant (or rather terrified) of enabling any of
>these aformentioned active response features for fear of
>blocking/terminating authorized traffic. Why??? IDS vendors have not
>been able to get false alarm/postive rates down to a level where
>organizations would trust an IDS alert to enforce network policy.
>Nothing I've seen or read from these new vendors gives me any reason to

>believe they have cured the cancer of IDS - false alarms/positives.
>Both Intruvert and Tipping Point rely on the same techniques to detect
>attack/misuse as non "IPS" systems do (e.g., Dragon, Snort, Realsecure)

>namely pattern matching (signatures) and protocol analysis (with a
>little secret anomaly detection sauce thrown in for good measure).
>Lancope isn't an IPS technology but rather a true anomaly-based IDS
>that from what I've seen looks very powerful in the hands of someone
>who really understands their network traffic - not familier with
>Vsecure and Forescout.
>Intrusion prevention is definitely the goal and as IDS and firewall
>technologies begin to merge (e.g., Netscreen purchasing OneSecure,
>Symantec's gateway appliance) this is likely where it will end up -
>with one caveat - false alarms need to be reduced to such a neglible
>level that they can be trusted to enforce network policy just as a
>firewall does today. Imho, we have a few years to wait and pure IDS
>will still have a role (preventive vs. detective controls). In the
>meantime, I predict new "IPS" companies products will have false
>alarm/positive rates significantly higher than todays leading
>commercial products due to their limited field deployments causing
>their "IPS" features to be turned off - relagating them to nothing more

>than a simple "IDS", how sad.
>Chris Petersen
>>-----Original Message-----
>>From: Avi Chesla []
>>Sent: Tuesday, October 15, 2002 4:46 AM
>>Cc: 'Samuel Cure'
>>Subject: RE: Changes in IDS Companies?
>>I totally agree with you. Next generation IDS ,also being
>>called Intrusion Prevention Systems or Perimeter Security
>>devices are the next step in the evolution of the Traditional
>>Intrusion Detection Systems. Vendors such as Intruvert,
>>Tipping point , Vsecure Technologies , Lancope, Forescout ,
>>TopLayer (Mitigator) etc, are example of some. All these
>>vendors claim to have an Intrusion Prevention Systems which
>>usually has some kinds of Adaptive capabilities, they do
>>behavioral and protocol analysis and do not based on attack
>>signature (most of them) , they sit in-line (most of them),
>>they mitigate attack without be depended in other products to
>>do the blocking...
>>Best Regards,
>>Avi Chesla
>>Director of Research
>>Vsecure Technoliges, Inc.
>>-----Original Message-----
>>From: Samuel Cure []
>>Sent: Monday, October 14, 2002 10:54 PM
>>Subject: Changes in IDS Companies?
>>Just noticing some changes with some known IDS companies and
>>wanted some feedback from the community. Because Marcus Ranum
>>left NFR earlier this year and Ron Gula has left Enterasys
>>Networks, I am questioning the future of some early-on IDS
>>companies. I mentioned some time ago that the IDS market will
>>eventually consolidate and it seems like things are moving in
>>that direction.
>>To further enforce my point, word on the street is
>>TippingPoint is now seeking for someone to buy them out. Does
>>anyone else have anything that could help validate this or
>>these types of trends in IDS companies?
>>Thanks in advance!
>>Samuel J. Cure
>>Security Specialist
>>NetPierce Security Services

Roy Lo  
Freelance Consultant 
E-mail -

Sun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA) Cisco Certified Network Associate (CCNA)