RE: Changes in IDS Companies?
From: Ralph Los (RLos@enteredge.com)Date: 10/17/02
- Previous message: tcleary2@csc.com.au: "RE: Changes in IDS Companies?"
- Maybe in reply to: Samuel Cure: "Changes in IDS Companies?"
- Next in thread: Avi Chesla: "FW: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ralph Los" <RLos@enteredge.com> To: "'Martin Roesch'" <roesch@sourcefire.com>, "Avi Chesla" <avic@V-Secure.com> Date: Thu, 17 Oct 2002 08:52:00 -0400
Community:
I'd like to take a minute to address the 'in-line' fear. There
needs to be some physical fail-over capacity within IDSes. I have one
particular example I'd like to bring up.
I've been successfully deploying NetworkICE's (now ISS, I know)
Guard product. I don't know how many of you out there do use it, but I
love it. It does intrusion detection with alerting and pattern matching
(although this is hopefully improving?) as well as has a fail-over pod.
By this I mean that in case the box fails to hearbeat to the little pod
connected 'around it' (to bypass it) over the serial connection to the
pod, a failure is detected and the little pod cuts over to a
pass-through mode. At that point you have a huge problem because your
IDS is down...but at least your network isn't, right? This is precisely
the reason I can't emphasize enough the importance of layered security.
Folks used to have the mis-conception that a firewall was enough. Now
apparently we (security folk) have taught them that firewall + IDS is
enough. There is no such thing as 'good enough' in my opinion. It's
all about acceptable risk versus fiscal responsibility. Can a firm have
a firewall w/DMZ's, an in-line active IDS (as mentioned) infront of and
behind the firewall (double protection) as well as HIDS (host-based
IDSes)? Of course! Is this a substitute for patching your crappy IIS
boxes? NO! But anyway, I'm off on a rant. I hope my point was clear.
-= _______________________________________________________ =-
-= Ralph Los -= Sr. Security Engineer =-
-= _______________________________________________________ =-
-= EnterEdge Technology, Atlanta =-
-= ----------------------------------------------------- =-
-= Providing blanket -= Desk: (770) 955-9899 x.206 =-
-= protection against -= Email: rlos@enteredge.com =-
-= the unknown and -= Email Pgr: rlospage@enteredge.com =-
-= unwanted 24x7x365. -= =-
-= ======================================================= =-
::: -----Original Message-----
::: From: Martin Roesch [mailto:roesch@sourcefire.com]
::: Sent: Wednesday, October 16, 2002 5:47 PM
::: To: Avi Chesla
::: Cc: focus-ids@securityfocus.com; 'Samuel Cure'
::: Subject: Re: Changes in IDS Companies?
:::
:::
::: Network intrusion prevention systems are also relatively
::: untested and
::: still first generation. The Hogwash wrapper for Snort (and
::: the in-line
::: mode being rolled into Snort) are both good technologies
::: and intrusion
::: prevention in general is a good idea, but the distance
::: between "good
::: idea" and a concept that's ready for larger market acceptance is a
::: pretty wide gap.
:::
::: One of the things that's been bothering me about the rush
::: to build and
::: deploy Network Intrusion Prevention Systems (NIPS) lately is the
::: complete lack of discussion about the downsides of such
::: technologies.
::: My consternation falls into a couple categories that deal with the
::: failure modes of NIPS and the political issues associated with
::: deploying this kind of technology.
:::
::: Most NIPS are built on the concepts pioneered by intrusion
::: detection
::: systems, protocol anomaly detection, signature-based analysis and
::: traffic anomaly detection (port scans, etc). Intrusion detection
::: techniques are pretty well known for their applicability to
::: specific
::: problem areas, signature-based detection doesn't pick up attacks it
::: doesn't know about, anomaly-based detection can't pick up signature
::: based events (/cgi-bin/phf) very effectively. The melding of these
::: techniques is critical to providing good coverage from the
::: perspective
::: of a sensor designer, which is why Snort does signature and
::: protocol
::: anomaly detection (and several other tricks). The problem
::: is that *no*
::: technology is capable of picking up every possible attack, a mix of
::: technologies is often the best way to go to provide
::: effective coverage
::: of the security picture on a given network.
:::
::: With this in mind, the basic question becomes "how do we
::: know if our
::: NIPS misses an attack?" If the NIPS misses an attack, we
::: better have
::: a pretty good NIDS/HIDS in place to let us know what happened.
:::
::: How about failure modes of the technology itself? It's been shown
::: repeatedly in tests that NIDS technology can be notoriously
::: unstable in
::: a number of scenarios, what happens if that instability is
::: translated
::: to an in-line device? We're either going to have a fail closed
::: scenario (protected network is DoS'd) or a fail open
::: scenario in which
::: the protected network becomes unprotected, possibly for a
::: protracted
::: period of time. In the first scenario the failure mode will make
::: itself apparent very rapidly, but in the second a NIDS/HIDS
::: is going to
::: be required to record and inform the security/admin staff about the
::: problem as well as attacks during the lapse.
:::
::: There's also the political battle of deploying another in-line
::: technology in the network, etc. that will be fought anytime one of
::: these is deployed, although I think that fight will happen in the
::: enterprise and not in the mid-tier market.
:::
::: I'm an advocate of a layered solution. Firewalls, NIDS/HIDS,
::: authentication, crypto, etc. all continue to have their
::: places on the
::: network. I think that host-based IPS will see quicker
::: acceptance in
::: the market than NIPS due to the lower "price of deployment/failure"
::: associated with the host-based technologies, they're more like AV
::: systems in their positioning as an end-host oriented security
::: mechanism. I think that there will definitely be
::: convergence of the
::: firewall and the NIDS, but I think it's early to declare
::: these systems
::: as the next generation, the political battle will have to
::: be fought and
::: the operational limitations of the technologies will have
::: to be found
::: before the final place of IPS in the network security
::: "ecosystem" will
::: be known.
:::
::: -Marty
:::
::: --
::: Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
::: Sourcefire: Snort-based Enterprise Intrusion Detection
::: Infrastructure roesch@sourcefire.com - http://www.sourcefire.com
::: Snort: Open Source Network IDS - http://www.snort.org
:::
::: On Tuesday, October 15, 2002, at 04:45 AM, Avi Chesla wrote:
:::
::: > I totally agree with you. Next generation IDS ,also being called
::: > Intrusion
::: > Prevention Systems or Perimeter Security devices are the
::: next step in
::: > the
::: > evolution of the Traditional Intrusion Detection Systems.
::: Vendors such
::: > as
::: > Intruvert, Tipping point , Vsecure Technologies ,
::: Lancope, Forescout ,
::: > TopLayer (Mitigator) etc, are example of some.
::: > All these vendors claim to have an Intrusion Prevention
::: Systems which
::: > usually has some kinds of Adaptive capabilities, they do
::: behavioral and
::: > protocol analysis and do not based on attack signature
::: (most of them)
::: > , they
::: > sit in-line (most of them), they mitigate attack without
::: be depended in
::: > other products to do the blocking...
::: >
::: > Best Regards,
::: >
::: > Avi Chesla
::: > Director of Research
::: > Vsecure Technoliges, Inc.
::: > www.v-secure.com
::: >
::: > -----Original Message-----
::: > From: Samuel Cure [mailto:scure@netpierce.net]
::: > Sent: Monday, October 14, 2002 10:54 PM
::: > To: focus-ids@securityfocus.com
::: > Subject: Changes in IDS Companies?
::: >
::: >
::: > Just noticing some changes with some known IDS companies
::: and wanted
::: > some
::: > feedback from the community. Because Marcus Ranum left
::: NFR earlier
::: > this year
::: > and Ron Gula has left Enterasys Networks, I am
::: questioning the future
::: > of
::: > some early-on IDS companies. I mentioned some time ago
::: that the IDS
::: > market
::: > will eventually consolidate and it seems like things are
::: moving in that
::: > direction.
::: >
::: >
::: > To further enforce my point, word on the street is
::: TippingPoint is now
::: > seeking for someone to buy them out. Does anyone else
::: have anything
::: > that could help validate this or these types of trends in IDS
::: > companies?
::: >
::: >
::: >
::: > Thanks in advance!
::: >
::: > -------------------
::: > Samuel J. Cure
::: > Security Specialist
::: > NetPierce Security Services
::: > www.netpierce.net
::: > -------------------
::: >
::: >
:::
:::
- application/x-pkcs7-signature attachment: smime.p7s
- Previous message: tcleary2@csc.com.au: "RE: Changes in IDS Companies?"
- Maybe in reply to: Samuel Cure: "Changes in IDS Companies?"
- Next in thread: Avi Chesla: "FW: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
