IDS mailing list archives
RE: Recent anti-NIDS Gartner article
From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Wed, 18 Jun 2003 15:24:01 -0700
I would agree so long as the inline device is not responsible for degrading the QoS of the traffic. That is where things get tricky. You know, all these devices are designed with different goals in mind. As an Intrusion Analyst, I'm not necessarily concerned with the one dropped packet out of thousands, I'm hedging my bet that is someone with bad intent is eyeballing your goods, chances are, there will be more than 1 packet with their name on it. So, the requirement to capture every packet, while definitely desired, I would make an argument that it is simply not "that" crucial. As far as bypassing detection, that is why a human in the loop, reviewing more logs than just an IDS output, is so VERY important to the success of Defense in Depth. Not one of these devices can stand on their own. They all have to work together in a complimentary fashion. My two cents... r/Jim Butterworth -----Original Message----- From: Srinivasa Rao Addepalli [mailto:srao () intotoinc com] Sent: Wednesday, June 18, 2003 11:05 AM To: Srinivasa Rao Addepalli; focus-ids () securityfocus com Subject: Re: Recent anti-NIDS Gartner article After seeing this article, I got several requests on what I think about this article (press release) and applicability of IDSes in different market segments. So, I thought I would expand on my previous email. IDSes which sniff or tap of the network, have several disadvantages - They might miss detection of exploits/attacks/intrusions. - They are too many ways to bypass Detection. - Need expensive hardware for good performance and detection rate. Due to this, these might not survive in SOHO and SME market segments. But, I feel Inline IDS are good bet for SOHO and SME segments and since all the traffic passes through this, there is no issue of missing packets or data. I also think that when enhanced with protection (dropping packets or connection ) capability, they are more attractive to this market segment. Today, IDSes can be configured to inform Firewall, but I don't think anybody seriously thinks that this solves all the problems. Having protection capability within the IDS provides more control or accurate protection. My opinion is that 'tap or sniff IDSes' may not survive longer (except in some minor market segment) and they are probably will be replaced with Inline IDSes OR Inline IDS/IPSes. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com ----- Original Message ----- From: "Srinivasa Rao Addepalli" <srao () intotoinc com> To: <focus-ids () securityfocus com> Sent: Tuesday, June 17, 2003 8:32 PM Subject: Recent anti-NIDS Gartner article
One of the primary goals of IDSes (inline or otherwise) is to detect the intention of intrusions. Yes, it is true that Firewall with application intelligence protect the servers and infrastructure and they are needed as part of comprehensive security solution. I understand from the report that, more resources in IS department are required to analyze the attacks. It is also true that today IDSes generate too many logs which turn out to be either false positives OR logs that are not applicable for that environment. Unless these problems are fixed, IDSes will demise over the time. IDS technology is greatly improved in recent times with more and more IDS products coming out with application intelligence. These reduce the false positives. But, other problem that need to be fixed is specific to the deployment environment. IDSes should be flexible to be tunable by the users such as deletion of un-wanted signature rules, modification of signature rules, setting up typical characteristics of traffic etc.. This might sound like need for IT resources, but in the effort it takes to
analyze
unwanted logs is significantly higher. Thank you for your time. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com
------------------------------------------------------------------------ ------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Re: Recent anti-NIDS Gartner article, (continued)
- Re: Recent anti-NIDS Gartner article nyec (Jun 17)
- Re: Recent anti-NIDS Gartner article Stephen P. Berry (Jun 18)
- RE: Recent anti-NIDS Gartner article Reverman, Peter C (Jun 17)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 18)
- Re: Recent anti-NIDS Gartner article Michael Sierchio (Jun 18)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 22)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 19)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- RE: Recent anti-NIDS Gartner article Hall, Andrew (DPRS) (Jun 19)
- RE: Recent anti-NIDS Gartner article Paul Benedek (Jun 22)
- Re: Recent anti-NIDS Gartner article Richard Ginski (Jun 19)