IDS, IPS or just rubbish?

From: Jack Ryan (jackryan_at_thedoghousemail.com)
Date: 06/23/03

  • Next message: Paul Schmehl: "Re: Views and Correlation in Intrusion Detection" 
    Date: Sun, 22 Jun 2003 21:31:20 -0700 (PDT)
To: focus-ids@securityfocus.com

    I went to the local product launch of Checkpoint FW-1 Next Generation *Artificial Intelligence* the other day and was interested to see that this technology is nothing more than a signature-based IDS that can pass stuff on to the firewall. Funnily enough they call it "Active Defense" which is the same name NAI used to describe Cybercop talking to Gauntlet before they dropped/sold the products.

    Checkpoint are pushing this patch to NG FP3 FW-1 as an all-in-one solution whereby you wouldn't need an IDS as well as a firewall. In Hong Kong they have over 70% of the firewall market - their market penetration is similar worldwide - in order to gain competitive advantage they are trying to crush the IDS/IPS market. Maybe they've been partying with Gartner.

    What's more they are lying through their teeth. I sat there and listened to them pull out terms like zero-day and protocol anomaly detection which is simply them jumping on the bandwagon of quality solutions. It is signature-based, and though Checkpoint will apparently notify you of any new threats you will still need to edit a text file so that the firewall knows what they are.

    Their big push is that they are doing application-layer stuff now which anyone who knows firewalls will know is what Sidewinder, Gauntlet and Axent (Symantec) have been doing for years. FW-1 is a stateful packet filter - and probably the best there is in terms of enterprise management. However they are not analysing traffic at the application layer asides from a handful of signatures. They were saying that FW-1 NG AI is the only gateway solution of its kind. Symantec have had signature-based IDS combined with the *real* layer 7 Raptor firewall in their SGS box for ages. (performance aside.........)

    They kept telling me about SQL Slammer and how this solution will stop it. What utter crap. Can anyone on this list tell me of a signature-based IDS which picked Slammer up in the 2-odd hours it needed to propogate?

    There has been a lot of discussion here about the future of IDS - I think I've seen Checkpoint's vision....... Treat us all like fools.

    Zero-day detection my ****.

    _____________________________________________________________
    Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com

    _____________________________________________________________
    Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag

    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------

  • Next message: Paul Schmehl: "Re: Views and Correlation in Intrusion Detection"