Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

• Previous message: Jason Haar: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• In reply to: Tim Holman: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Next in thread: Teemu Schaabl: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 18 Oct 2005 12:52:53 -0400
To: Tim Holman <tim_holman@hotmail.com>

Sourcefire's IS3000 is an IPS if employed in that mode.

Joel

On Oct 13, 2005, at 7:31 AM, Tim Holman wrote:

> Hi Jonathan,
>
> Wouldn't you rather block bad traffic, rather than detect it?
> Most companies are moving away from IDS as a protection mechanism,
> because:
>
> 1) It only detects, and doesn't effectively block intrusions
> 2) Problems with false positives, as by using pattern matching
> signatures, there is always a chance that these patterns also
> appear in valid traffic
> 3) Management overheads. An IDS can only be a reasonably
> effective prevention method if there is someone on hand 24/7 to
> monitor logs and take immediate action on intrusions. Even then ,
> the intrusion has got in, as admins very rarely use the active
> blocking features of an IDS (namely sending RST packets to kill
> connections, or modifying upstream ACLs), as these are too likely
> to have an effect on valid traffic
> 4) There is absolutely no protection for rate-based attacks (SYN,
> TCP, UDP floods)
> 5) Without maintaining a L3/4 connection/state table, there is no
> way an IDS can be truly stateful. 100% statefulness means that
> everything from the initial SYN to the final RST/FIN packet of a
> connection is stored in a connection table. This requires the
> device to be INLINE, and operating at L3. This is the only way a
> protection device can provide effective defence against L3
> attacks. An offline IDS cannot do this.
>
> I would recommend looking at IPS products instead, so something
> that you can postion inline and get immediate value from.
> If you feel the Cisco IDS is getting a little tired, then an IPS
> will also help take the load off it, by getting rid of Internet
> white noise, providing additional firewall filtering, and also
> defence against rate-based attacks.
> A true IPS will focus on defining what is GOOD traffic, and
> assuming all else is BAD (and dropping it). By doing this, zero-
> day attacks can be virtually be eliminated, as they all ultimately
> rely on abuse of a valid protocol in the hope of slipping past your
> protection mechanisms and onto your network.
> This works quite well in conjucntion with an IDS, that focuses on
> searching traffic for badness.
> Replacing like for like (IDS for IDS) is not going to give you much
> value, and even the market analysts are recommending against it.
> IDS isn't dead. Far off it, but use it for what it's good for -
> DETECTION and FORENSICS, and not as a device that can insure your
> network against rate-based and zero-day attacks.
>
> Regards,
>
> Tim
>
>
>
> ----- Original Message ----- From: "Jonathan Gauntt"
> <jon0966@yahoo.com>
> To: <focus-ids@securityfocus.com>
> Sent: Wednesday, October 12, 2005 5:57 PM
> Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
>
>
>
>> Hi,
>>
>> We are currently running a Cisco IDS 4250 that monitors our internal
>> traffic. We essentially use this device for historical reporting
>> because we
>> are a medical oriented facility with at least 100 3rd party
>> connections to
>> us besides the 8000 employees.
>>
>> I am considering upgrading the Cisco IDS 4250 to the XL to handle
>> higher
>> throughput but have been evaluating the Sourcefire IS300 and their
>> RNA
>> sensor.
>>
>> I have the ability to purchase the Sourcefire unit or upgrade the
>> 4250.
>>
>> Sourcefire claims that they are superior with state full IDS
>> inspection and
>> an overall better product.
>>
>> Does anyone have any thoughts on these two products? I have about
>> $100k in
>> my budget to spend.
>>
>> Thanks,
>>
>>
>> Jonathan
>>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
>> ids_040708
>> to learn more.
>> ---------------------------------------------------------------------
>> ---
>>
>>
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
> ids_040708 to learn more.
> ----------------------------------------------------------------------
> --
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Jason Haar: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• In reply to: Tim Holman: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Next in thread: Teemu Schaabl: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]