RE: IDS, IPS or just rubbish

From: Fergus Brooks (fergusb_at_evolve-online.com)
Date: 06/26/03

  • Next message: Christian Kreibich: "Re: protocol method"
    To: <focus-ids@securityfocus.com>
    Date: Thu, 26 Jun 2003 15:18:30 +0800
    
    

    I too attended a partner event - unfortunately I only got to see the
    sales briefing and not the technical one. I left generally confused, but
    it did seem to me that they were talking about releasing new "patterns"
    for "pattern matching" via the web which the fw admin could add through
    a manual edit.

    If they have also built in some protocol decoding and anomaly detection
    then it sounds a lot like an IDS to me. Add to it the ability to block
    traffic at the enforcement module interface then it sounds like an IPS.
    I could imaging a lot of clients would go for this if it is an add-on
    for their existing implemented investment.

    But from what your saying James it falls down in correlation? Also you
    hinted that it may not be easy to install?

    Can you tell me if it has the ability to send alerts out via
    LEA/ELA/OPSEC?

    And - for some levity - if Checkpoint releasing NG led Stonesoft to
    release Stonegate, I wonder what ISS' new firewall will be called?
    RealFirewall? (comes with your media player...) ReallySecure Firewall?
    (sounds Australian....)

    -----Original Message-----
    From: James Cutter [mailto:JamesCutter@thedoghousemail.com]
    Sent: Wednesday, 25 June 2003 6:19 PM
    To: focus-ids@securityfocus.com
    Subject: RE: IDS, IPS or just rubbish

    I was in one of their partner events as well. It looks to me like you
    misunderstood their point.

    They do not have many signatures. In fact, they do not claim to be a
    signature based company. They do claim to provide protection by
    understanding the protocols and applications.
    How many firewalls you know that understand HTTP1.1 (really understand,
    including the ability to catch different http requests on the same
    connection, chunks, retransmissions etc) How many firewalls are able to
    protect in day zero against double http header attacks, webDAV attacks
    etc.

    Even with the signatures that they do have, they perform aggressive
    matching against different encoding and regular expression matching.
    Adding the fact that they do IP fragments checks for all IP traffic (and
    not only port 80) and reassemble TCP streams - i think that they can be
    called intelligent. (and according to their claims, most of the work is
    done in the kernel, with expected of 3% performance lost. Even if I
    don't take this as they claim, it is better than any system I know.
    Believe me, I know. )

    I do think that they need to improve their configuration and
    documentation. Right now, fools can not use their systems (without using
    us, the system integrators). It is too difficult. One should define
    resources set different properties and so on. For the first time in
    several years, i think that my customers understand why checkpoint
    claims to be superior. All I need to do is demonstrate HTTP 1.1
    penetration with other firewall systems.

    If I understand their vision, they are going further with non-signature
    policy

    BTW, my customers are using their SQL Inspect fixes. They were able to
    operate while the worm was hitting them. How many other vendors offer
    this ?

    I recommend my customers to keep using IDS. I think that there is a need
    for event correlation technology . again, checkpoint is not a signature
    company.

    Jack Ryan said:
    I went to the local product launch of Checkpoint FW-1 Next Generation
    *Artificial Intelligence* the other day and was interested to see that
    this technology is nothing more than a signature-based IDS that can pass
    stuff on to the firewall. Funnily enough they call it "Active Defense"
    which is the same name NAI used to describe Cybercop talking to Gauntlet
    before they dropped/sold the products.

    Checkpoint are pushing this patch to NG FP3 FW-1 as an all-in-one
    solution whereby you wouldn't need an IDS as well as a firewall. In Hong
    Kong they have over 70% of the firewall market - their market
    penetration is similar worldwide - in order to gain competitive
    advantage they are trying to crush the IDS/IPS market. Maybe they've
    been partying with Gartner.

    What's more they are lying through their teeth. I sat there and listened
    to them pull out terms like zero-day and protocol anomaly detection
    which is simply them jumping on the bandwagon of quality solutions. It
    is signature-based, and though Checkpoint will apparently notify you of
    any new threats you will still need to edit a text file so that the
    firewall knows what they are.

    Their big push is that they are doing application-layer stuff now which
    anyone who knows firewalls will know is what Sidewinder, Gauntlet and
    Axent (Symantec) have been doing for years. FW-1 is a stateful packet
    filter - and probably the best there is in terms of enterprise
    management. However they are not analysing traffic at the application
    layer asides from a handful of signatures. They were saying that FW-1 NG
    AI is the only gateway solution of its kind. Symantec have had
    signature-based IDS combined with the *real* layer 7 Raptor firewall in
    their SGS box for ages. (performance aside.........)

    They kept telling me about SQL Slammer and how this solution will stop
    it. What utter crap. Can anyone on this list tell me of a
    signature-based IDS which picked Slammer up in the 2-odd hours it needed
    to propogate?

    There has been a lot of discussion here about the future of IDS - I
    think I've seen Checkpoint's vision....... Treat us all like fools.

    Zero-day detection my ****.

    _____________________________________________________________
    Get your FREE TheDoghouseMail email address at
    http://www.thedoghousemail.com

    _____________________________________________________________
    Select your own custom email address for FREE! Get you@yourchoice.com,
    No Ads, 6MB, IMAP, POP, SMTP & more!
    http://www.everyone.net/selectmail?campaign=tag

    ------------------------------------------------------------------------
    -------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
    the
    world's premier technical IT security event! 10 tracks, 15 training
    sessions,
    1,800 delegates from 30 nations including all of the top experts, from
    CSO's to
    "underground" security specialists. See for yourself what the buzz is
    about!
    Early-bird registration ends July 3. This event will sell out.
    www.blackhat.com
    ------------------------------------------------------------------------
    -------

    _____________________________________________________________
    Get your FREE TheDoghouseMail email address at
    http://www.thedoghousemail.com

    _____________________________________________________________
    Select your own custom email address for FREE! Get you@yourchoice.com,
    No Ads, 6MB, IMAP, POP, SMTP & more!
    http://www.everyone.net/selectmail?campaign=tag

    ------------------------------------------------------------------------
    -------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
    the
    world's premier technical IT security event! 10 tracks, 15 training
    sessions,
    1,800 delegates from 30 nations including all of the top experts, from
    CSO's to
    "underground" security specialists. See for yourself what the buzz is
    about!
    Early-bird registration ends July 3. This event will sell out.
    www.blackhat.com
    ------------------------------------------------------------------------
    -------

    --
    This message has been scanned by AVMail.
    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------
    

  • Next message: Christian Kreibich: "Re: protocol method"

    Relevant Pages

    • Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
      ... > not have enough signatures to give you the sort of security you need. ... Why would you want a signature based IDS at all? ... Then use a firewall that only passes what is explicitly ... allowed and raises an alarm for everything that isn't. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
      ... >>> IDS on the same machine as a firewall? ... >>> not have enough signatures to give you the sort of security you need. ... > I think it should be re-iterated that the D in IDS is 'Detection'. ... understand) the reports. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Log checking?
      ... Maybe this is too obvious to mention, but what I watch for in my firewall ... I'm less worried about find things that will be IDS ... signatures next month than I am about finding things that will never be IDS ... higher-cost threats in my view, such as the bad insider, strategic ...
      (Firewall-Wizards)
    • Creating Signatures on Cisco IDS enabled IOS based Firewalls
      ... Can anyone tell me if it is possible to create signatures using the IDS on a ... Cisco IOS based firewall. ...
      (Security-Basics)
    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)