Re: Changes in IDS Companies?
From: Kevin Jones (kjmjones@yahoo.com)Date: 10/29/02
- Previous message: Matt Harris: "Re: Changes in IDS Companies?"
- Maybe in reply to: Samuel Cure: "Changes in IDS Companies?"
- Next in thread: Martin Roesch: "Re: Changes in IDS Companies?"
- Next in thread: Ramesh Gupta: "RE: Changes in IDS Companies?"
- Reply: Martin Roesch: "Re: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Oct 2002 17:07:28 -0000 From: Kevin Jones <kjmjones@yahoo.com> To: focus-ids@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <03EA8EE1BD1FAD46A6AB4525406795E12F4E34@ct2001.webcti.local>
Well...Netscreen didn't *build* a NIPS, they bought one (OneSecure). And
while everyone gets all excited about the possibility of inline IDS, many
still are skeptical that the reality matches the marketing...yet.
Intrusion Prevention IS a good idea, and will eventually be commonplace I
suppose. Of course, it is not clear who will capture & dominate that
market space. Both the firewall vendors (like Check Point's development
of SmartDefense) and traditional IDS vendor (like RealSecure Guard) see
this space as an emerging niche.
The sentiment among the skeptics has a lot to do with the problems that
have plagued NIDS for a long time - false positives (alerting on legit
traffic), false negatives (not alerting on suspect traffic) and
performance. The concern many have regarding IPS is that they have had to
cut corners on the first two (attack recognition) in order to insure the
IPS is not a performance bottleneck. It just seems unlikely that so many
NIDS would struggle with being able to keep up with network traffic while
not missing any intrusions, but IPS vendors have come along and solved
that problem from the start. So what if they claim to process ~2 Gbps if
they have immature intrusion analysis mechanisms? Until I see some IPS
systems undergo some rigorous testing (like Neohapsis OSEC) to separate
the hype from the reality, I remain skeptical. Only RealSecure & Intruvert
have been certified to date, but not the RS Guard product. IntruShield is
an inline IDS, but is quite expensive (~$100K).
However, I agree that once the technical hurdles are overcome (& they will
be), NIPS will begin to displace NIDS...But then encryption will pose an
increasing problem. For that reason, HIPS will become more necessary, but
also firewall/IDS/VPN systems will make sense as key checkpoints
(literally) in the network...thus the move by Check Point & Netscreen.
Firewall & IDS (& AV too) vendors ally/acquire partners on the other side,
and those that don't will be left out. Thus, the changes in IDS companies
as referenced in the original message in this thread.
>
>Initially I would tend to agree that HIPS would move more rapidly, but
>then a big firewall player like Netscreen builds a NIPS. My guess would
>be all the other firewall appliance players are scrambling to come up
>with a nice neat little device that works similar.
>
>I know WatchGuard has an IDS intergration tool already. It's actually
>just a command line program that auto-blocks on the appliance given
>certain output. I've been trying to implement it with Snort in a test
>bed scenario and would be very surprised if it wasn't integrated and
>expanded on the firebox line into a true NIPS in the future.
>
>Other to quickly follow?
>
>M. Dante Mercurio, CCNA, MCSE+I, CCSA
>dmercurio@ccgsecurity.com
>Consulting Group Manager
>Continental Consulting Group, LLC
>www.ccgsecurity.com
- Previous message: Matt Harris: "Re: Changes in IDS Companies?"
- Maybe in reply to: Samuel Cure: "Changes in IDS Companies?"
- Next in thread: Martin Roesch: "Re: Changes in IDS Companies?"
- Next in thread: Ramesh Gupta: "RE: Changes in IDS Companies?"
- Reply: Martin Roesch: "Re: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
