Re: Changes in IDS Companies?

From: Martin Roesch (roesch@sourcefire.com)
Date: 10/31/02 

Date: Wed, 30 Oct 2002 21:24:03 -0500
To: Kevin Jones <kjmjones@yahoo.com>
From: Martin Roesch <roesch@sourcefire.com>

On Tuesday, October 29, 2002, at 12:07 PM, Kevin Jones wrote:
[much snipped]

> However, I agree that once the technical hurdles are overcome (& they
> will
> be), NIPS will begin to displace NIDS...But then encryption will pose
> an
> increasing problem. For that reason, HIPS will become more necessary,
> but
> also firewall/IDS/VPN systems will make sense as key checkpoints
> (literally) in the network...thus the move by Check Point & Netscreen.
> Firewall & IDS (& AV too) vendors ally/acquire partners on the other
> side,
> and those that don't will be left out. Thus, the changes in IDS
> companies
> as referenced in the original message in this thread.

Actually, I think if the promise of NIPS is realized, if it replaces
anything it will replace *firewalls*, not NIDS. The monitoring need is
not removed by NIPS, the stateful packet filtering/access control need
is. To recap my view on this one, if your NIPS fails (false
negative/fail open) you're going to need an IDS to let you know what's
going on. Additionally, there's going to be a need to monitor traffic
that doesn't pass through the gateway (internal <-> internal traffic)
that isn't going to go away.

Why do you think the firewall companies are moving on this so fast
(c.f. Netscreen/CheckPoint).

      -Marty 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Relevant Pages

  • AW: Changes in IDS Companies?
    ... -An Inline-IDS or Gateway IDS does not have to be a Network Intrusion Protection ... The difference between a NIDS and a GIDS is just that the latter is placed ... So a NIPS does not have to be an Inline-device automatically. ...
    (Focus-IDS)
  • Re: Changes in IDS Companies?
    ... Well...Netscreen didn't *build* a NIPS, ... while everyone gets all excited about the possibility of inline IDS, ... IPS is not a performance bottleneck. ... Firewall & IDS vendors ally/acquire partners on the other side, ...
    (Focus-IDS)
  • Re: IDS/IPS testing methodology
    ... I worked on different tests on different NIPS technologies. ... NIPS testing falls in the the common field of Firewall and IDS test, ... The test is strictly related to your network environment, ... how the NIPS is strong, ie how it resists on attacks ...
    (Focus-IDS)
  • Re: Changes in IDS Companies?
    ... > traffic to the sort of high value, production server ... First off, most IPS, NIPS, ... A good IDS does more than just shoot ... to make a change to a conventional firewall, a NIDS could do the same ...
    (Focus-IDS)
  • RE: Hi, I want to study IPS
    ... Well, I think the better way of starting with IPS, is to play first with an IDS as Snort, and after that you should fulfill the pig with some plugins, for example: ... I could say that they turn Snort IDS in a IPS. ... > Are there any good open source NIPS products out there? ...
    (Focus-IDS)