Re: Recent anti-NIDS Gartner article

["Srinivasa Rao Addepalli" <srao () intotoinc com>]

After seeing this article, I got several requests on what I think about this
article (press release) and applicability of IDSes in different 
market segments. So, I thought I would expand on my previous email.

IDSes which sniff or tap of the network, have several disadvantages
- They might miss detection of exploits/attacks/intrusions.
- They are too many ways to bypass Detection.
-  Need expensive hardware for good performance and detection rate.
Due to this, these might not survive in SOHO and SME market segments.

But, I feel Inline IDS are good bet for SOHO and SME segments and
since all the traffic passes through this, there is no issue of missing 
packets or data.  I also think that when enhanced with protection (dropping
packets or connection ) capability, they are more attractive to this
market segment. Today, IDSes can be configured to inform Firewall, but
I don't think anybody seriously thinks that this solves all the problems.
Having protection capability within the IDS provides more control or
accurate protection.

My opinion is that 'tap or sniff IDSes' may not survive longer (except 
in some minor market segment) and they are probably will be replaced
with Inline IDSes OR Inline IDS/IPSes.

Srini
Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Srinivasa Rao Addepalli" <srao () intotoinc com>
To: <focus-ids () securityfocus com>
Sent: Tuesday, June 17, 2003 8:32 PM
Subject: Recent anti-NIDS Gartner article


> One of the primary goals of IDSes (inline or otherwise) is to detect
> the intention of intrusions. Yes, it is true that Firewall with
> application intelligence protect the servers and infrastructure and 
> they are needed as part of comprehensive security solution.
>
> I understand from the report that, more resources in IS department
> are required to analyze the attacks. It is also true that today IDSes
> generate too many logs which turn out to be either false positives
> OR logs that are not applicable for that environment. Unless these
> problems are fixed, IDSes will demise over the time. 
>
> IDS technology is greatly improved in recent times with more and
> more IDS products coming out with application intelligence. These
> reduce the false positives. But, other problem that need to be fixed
> is specific to the deployment environment. IDSes should be 
> flexible to be tunable by the users such as deletion of un-wanted
> signature rules, modification of signature rules, setting up typical
> characteristics of traffic etc.. This might 
> sound like need for IT resources, but in the effort it takes to analyze
> unwanted logs is significantly higher. 
>
>
> Thank you for your time.
> Srini
>
>
>
> Intoto Inc. 
> Enabling Security Infrastructure
> 3160, De La Cruz Blvd #100
> Santa Clara, CA 95054
> www.intotoinc.com

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------