Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

From: Joel Esler (eslerj_at_gmail.com)
Date: 10/18/05

  • Next message: Mark Ryan del Moral Talabis: "Re: Current IDS problems"
    Date: Tue, 18 Oct 2005 12:52:53 -0400
    To: Tim Holman <tim_holman@hotmail.com>
    
    

    Sourcefire's IS3000 is an IPS if employed in that mode.

    Joel

    On Oct 13, 2005, at 7:31 AM, Tim Holman wrote:

    > Hi Jonathan,
    >
    > Wouldn't you rather block bad traffic, rather than detect it?
    > Most companies are moving away from IDS as a protection mechanism,
    > because:
    >
    > 1) It only detects, and doesn't effectively block intrusions
    > 2) Problems with false positives, as by using pattern matching
    > signatures, there is always a chance that these patterns also
    > appear in valid traffic
    > 3) Management overheads. An IDS can only be a reasonably
    > effective prevention method if there is someone on hand 24/7 to
    > monitor logs and take immediate action on intrusions. Even then ,
    > the intrusion has got in, as admins very rarely use the active
    > blocking features of an IDS (namely sending RST packets to kill
    > connections, or modifying upstream ACLs), as these are too likely
    > to have an effect on valid traffic
    > 4) There is absolutely no protection for rate-based attacks (SYN,
    > TCP, UDP floods)
    > 5) Without maintaining a L3/4 connection/state table, there is no
    > way an IDS can be truly stateful. 100% statefulness means that
    > everything from the initial SYN to the final RST/FIN packet of a
    > connection is stored in a connection table. This requires the
    > device to be INLINE, and operating at L3. This is the only way a
    > protection device can provide effective defence against L3
    > attacks. An offline IDS cannot do this.
    >
    > I would recommend looking at IPS products instead, so something
    > that you can postion inline and get immediate value from.
    > If you feel the Cisco IDS is getting a little tired, then an IPS
    > will also help take the load off it, by getting rid of Internet
    > white noise, providing additional firewall filtering, and also
    > defence against rate-based attacks.
    > A true IPS will focus on defining what is GOOD traffic, and
    > assuming all else is BAD (and dropping it). By doing this, zero-
    > day attacks can be virtually be eliminated, as they all ultimately
    > rely on abuse of a valid protocol in the hope of slipping past your
    > protection mechanisms and onto your network.
    > This works quite well in conjucntion with an IDS, that focuses on
    > searching traffic for badness.
    > Replacing like for like (IDS for IDS) is not going to give you much
    > value, and even the market analysts are recommending against it.
    > IDS isn't dead. Far off it, but use it for what it's good for -
    > DETECTION and FORENSICS, and not as a device that can insure your
    > network against rate-based and zero-day attacks.
    >
    > Regards,
    >
    > Tim
    >
    >
    >
    > ----- Original Message ----- From: "Jonathan Gauntt"
    > <jon0966@yahoo.com>
    > To: <focus-ids@securityfocus.com>
    > Sent: Wednesday, October 12, 2005 5:57 PM
    > Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
    >
    >
    >
    >> Hi,
    >>
    >> We are currently running a Cisco IDS 4250 that monitors our internal
    >> traffic. We essentially use this device for historical reporting
    >> because we
    >> are a medical oriented facility with at least 100 3rd party
    >> connections to
    >> us besides the 8000 employees.
    >>
    >> I am considering upgrading the Cisco IDS 4250 to the XL to handle
    >> higher
    >> throughput but have been evaluating the Sourcefire IS300 and their
    >> RNA
    >> sensor.
    >>
    >> I have the ability to purchase the Sourcefire unit or upgrade the
    >> 4250.
    >>
    >> Sourcefire claims that they are superior with state full IDS
    >> inspection and
    >> an overall better product.
    >>
    >> Does anyone have any thoughts on these two products? I have about
    >> $100k in
    >> my budget to spend.
    >>
    >> Thanks,
    >>
    >>
    >> Jonathan
    >>
    >>
    >>
    >> ---------------------------------------------------------------------
    >> ---
    >> Test Your IDS
    >>
    >> Is your IDS deployed correctly?
    >> Find out quickly and easily by testing it
    >> with real-world attacks from CORE IMPACT.
    >> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
    >> ids_040708
    >> to learn more.
    >> ---------------------------------------------------------------------
    >> ---
    >>
    >>
    >
    > ----------------------------------------------------------------------
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks
    > from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
    > ids_040708 to learn more.
    > ----------------------------------------------------------------------
    > --
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Mark Ryan del Moral Talabis: "Re: Current IDS problems"