RE: IPS comparison

From: Seek Knowledge (aseeker03_at_yahoo.com)
Date: 08/31/05

Next message: Seek Knowledge: "Re: NADS ( was RE: IPS comparison)"

Previous message: Adam Powers: "Re: IPS comparison"
In reply to: Joseph Hamm: "RE: IPS comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 30 Aug 2005 23:58:27 +0100 (BST)
To: Joseph Hamm <jhamm@lancope.com>, Stefano Zanero <s.zanero@securenetwork.it>, Daniel Cid <danielcid@yahoo.com.br>, Focus-Ids Mailing List <focus-ids@securityfocus.com>

IMHO comparing pure play havior detection to IPS is
like comparing apples and oranges.

NADS appears to be more similar to the old sniffer
technology with the added feature of /possibly/ giving
better clues as to the cause of the anomaly from a
security perspective whereas the old Network General
style explains from network problem perspective.

Protocol anomaly at least looks more promising in the
IPS space as the action capability is there. In my
experience, it definitely takes time baselining... but
once baslined, it could be a valuable tool (again when
the action component - read IPS - is added).

That whole Gartner prophecy of "IDS is dead" was
referring to the idea that detection by itself is just
not enough. Maybe behavior detection (NADS) might be
good for forensics... but I'll take IPS wherever I can
get it thank you. If one can't afford IPS... then I
guess going the forensics only route is better than
nothing. But even then, pure-play behavior-based
solutions leaves the gap of not detecting known bad
stuff.

btw... even Lancope has signatures (however outdated
they may be)... so even Lancope realizes the value of
signatures in the security tool box.

Regards,
Hassan Karim, CISSP

--- Joseph Hamm <jhamm@lancope.com> wrote:

> >Fact is, anomaly detection is so rare that it's
> almost unexistant in
> the commercial products, except for limited forms
> >of "protocol anomaly detection" and for Arbor's
> peakflow technology.
>
> Not true! The only reason this space hasn't gotten
> as much attention
> over the last few years is cause everyone was busy
> buying signature IDS
> and now IPS solutions.
>
> Pure Network Anomaly Detection players:
> Arbor
> Lancope
> Mazu
> Q1 Labs
> (All of these have been around for several years
> despite the lack of
> industry attention to this space. Am I missing any
> new ones?)
>
> Also, for a recent article on network anomaly
> detection systems (NADS),
> check out this month's Information Security Magazine
> (cover story). The
> NADS space (this is only the latest acronym used to
> describe this group
> of products), is starting to get more attention and
> press coverage. You
> will also find some articles that call these
> products NBAD (Network
> Behavior Anomaly Detection) solutions.
>
> Many security companies can detect "anomalies" in
> some form. Almost
> every security vendor has the word "anomaly" in
> their marketing
> literature. You need to understand what they mean
> by an "anomaly" and
> how they detect them.
>
> "protocol anomaly detection" and "network anomaly
> detection" are two
> different things although detecting network
> anomalies can include
> protocol anomalies as well. An IPS is a point
> solution, usually has
> limited network visibility (unless you spend a
> fortune and deploy them
> everywhere), and can only perform protocol anomaly
> detection (from what
> I've seen). In order to have the best NADS, you
> need complete network
> visibility and an understanding of what is "normal"
> on your network.
>
> Rolling out NADS generally requires less appliances
> than IPS (read less
> cost) because one box can gather network info from
> multiple SPAN ports,
> network taps, or get NetFlow/sFlow feeds from remote
> routers/switches.
>
> Kind regards,
> Joe
>
> Joe Hamm, CISSP
> Senior Security Engineer
> Lancope, Inc.
> jhamm@lancope.com
> 404.644.7227 (cell)
> 770.225.6509 (fax)
>
> Lancope - Security through Network Intelligence(tm)
> StealthWatch(tm) by Lancope, a next-generation
> network security
> solution, delivers behavior-based intrusion
> detection, policy
> enforcement and insightful network analysis. Visit
> www.lancope.com.
>
>
> -----Original Message-----
> From: Stefano Zanero
> [mailto:s.zanero@securenetwork.it]
> Sent: Monday, August 29, 2005 6:01 PM
> To: Daniel Cid; Focus-Ids Mailing List
> Subject: Re: IPS comparison
>
> Daniel Cid wrote:
> > This "anomaly" detection will only detect 0-day
> exploits for known
> > vulnerabilities.
>
> A zero-day exploit is a curious marketing thing. You
> suddenly redefine a
> difficult problem (catching zero-days) as a rather
> simpler problem
> (create signatures that actually describe the
> vulnerability, which is
> what any signature worth your licensing cost should
> do).
>
> So, presto!, you can rush up and put out some rather
> nice marketing
> material on it.
>
> Fact is, anomaly detection is so rare that it's
> almost unexistant in the
> commercial products, except for limited forms of
> "protocol anomaly
> detection" and for Arbor's peakflow technology.
>
> Best,
> Stefano Zanero
> ---------------------------
> Secure Network S.r.l.
> www.securenetwork.it
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with
> real-world attacks from
> CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
>
------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
>
------------------------------------------------------------------------
>
>

Send instant messages to your online friends http://uk.messenger.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Next message: Seek Knowledge: "Re: NADS ( was RE: IPS comparison)"

Previous message: Adam Powers: "Re: IPS comparison"
In reply to: Joseph Hamm: "RE: IPS comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

NADS ( was RE: IPS comparison)
... One thing that does bother me is how IPS has been ... great at the perimeter or other "choke points" in the network. ... NADS gives much of the value of traditional network ... that detection by itself is just not enough. ...
(Focus-IDS)
Re: Changes in IDS Companies?
... I think that the intrusion prevention space will probably endup ... just like the detection space is. ... > Network intrusion prevention systems are also relatively untested and ... > complete lack of discussion about the downsides of such technologies. ...
(Focus-IDS)
RE: Changes in IDS Companies?
... It does intrusion detection with alerting and pattern matching ... IDS is down...but at least your network isn't, ... ::: mode being rolled into Snort) are both good technologies ...
(Focus-IDS)
A Network IPS Proposal (was Definition of Zero Day Protection)
... I did a research on Network IPS a while back when the ... > api gating layers and are continuing to greatly ... > implementations have detection properties for zero ... > day attacks. ...
(Focus-IDS)
RE: Active response... some thoughts.
... signatures and protocol anomaly detections among others. ... of the detection methods it also does all of things expected of a modern IDS ... I agree that this is an optimal method of detecting anomalies based on ... The IDP also does this type of anomaly detection and the specific parameters ...
(Focus-IDS)