RE: Useful NADS

From: Andrew Plato (andrew.plato_at_anitian.com)
Date: 09/01/05

  • Next message: Adam Powers: "Re: Useful NADS" 
    Date: Thu, 1 Sep 2005 10:09:24 -0700
To: "Adam Powers" <apowers@lancope.com>, "Focus-Ids Mailing List" <focus-ids@securityfocus.com>

    > IPSs simply can't be deployed everywhere.
    > How many organizations have you seen in which
    > an IPS is placed at every location in which a Cisco
    > router exists? NADS deployed with NetFlow gives the IT
    > admin the ability to virtually inspect traffic at MANY
    > locations throughout the network at once without the
    > need for expensive inline hardware.

    > NADS is completely complementary to existing IPS technologies.
    > They operate in very different ways and solve a different kind of
    problem.

    Well, there are some IPSs that I would feel confident deploying
    everywhere, but that gets into a sales pitch and I won't torture the
    group with that. However, I agree that there are a lot of products being
    marketed as an IPS that are not reliable enough to deploy at every
    routing point.

    The real reason IPS (or your product for that matter) cannot be deployed
    everywhere is because most organizations do not have an unlimited
    supply of cash to spend on boxes filled with wires. If you know of any
    that do have an unlimited supply of cash - by all means, send them my
    way. I have plenty of boxes filled with wires I can sell them.

    Smart organizations, that practice good risk management, are looking to
    reduce the maximum number of risks for the least expenditure of cash. As
    such, YABOW (yet another box of wires) sitting on the network offering
    the POSSIBILITY of risk reduction is not as valuable as YABOW that
    offers ACTUAL risk reduction.

    Furthermore, network insight is only useful if you can DO something with
    all that insight. I give a presentation called the Myths of Information
    Security. Myth #6 is "Awareness is Not Security." Being aware (or
    insightful) about a problem doesn't mean the problem goes away. You have
    to ACT on that. Without the ability to act, knowing there is a problem
    just makes things miserable. Thus, when deploying YABOW, organizations
    must be prepared to handle the data that comes from such a system.
    Otherwise, no point in even having it.

    This is why I say NADS is a marginally interesting product. Mixed with
    an IPS that can detect and block known attacks, then I can see the
    value. But a stand-alone NADS probably isn't the best investment for
    most organizations. It would be better to focus on a solid IPS product
    or better VLAN ACLs.

    Now, that much said, I do not have a lot of experience with Lancope's
    technologies. So, my opinions are not an attempt to discredit your
    specific technology. I am not qualified to do that. Merely I am sharing
    some high-level thoughts on the concept of NADS.

    And stop giggling at my NADS!

    _____________________________________
    Andrew Plato, CISSP
    President/Principal Consultant
    ANITIAN ENTERPRISE SECURITY

    3800 SW Cedar Hills Blvd, Suite 280
    Beaverton, OR 97005
    503-644-5656 Office
    503-214-8069 Fax
    503-201-0821 Mobile
    www.anitian.com
    _____________________________________

    GPG public key available at: http://www.anitian.com/corp/keys.htm

     

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Adam Powers: "Re: Useful NADS"