RE: Recent anti-NIDS Gartner article

["Jim Butterworth" <res0qh1m () verizon net>]

I would agree so long as the inline device is not responsible for
degrading the QoS of the traffic.  That is where things get tricky.  You
know, all these devices are designed with different goals in mind.   As
an Intrusion Analyst, I'm not necessarily concerned with the one dropped
packet out of thousands, I'm hedging my bet that is someone with bad
intent is eyeballing your goods, chances are, there will be more than 1
packet with their name on it.  So, the requirement to capture every
packet, while definitely desired, I would make an argument that it is
simply not "that" crucial.  

As far as bypassing detection, that is why a human in the loop,
reviewing more logs than just an IDS output, is so VERY important to the
success of Defense in Depth.  Not one of these devices can stand on
their own.  They all have to work together in a complimentary fashion.

My two cents...

r/Jim Butterworth

-----Original Message-----
From: Srinivasa Rao Addepalli [mailto:srao () intotoinc com] 
Sent: Wednesday, June 18, 2003 11:05 AM
To: Srinivasa Rao Addepalli; focus-ids () securityfocus com
Subject: Re: Recent anti-NIDS Gartner article

After seeing this article, I got several requests on what I think about
this
article (press release) and applicability of IDSes in different 
market segments. So, I thought I would expand on my previous email.

IDSes which sniff or tap of the network, have several disadvantages
- They might miss detection of exploits/attacks/intrusions.
- They are too many ways to bypass Detection.
-  Need expensive hardware for good performance and detection rate.
Due to this, these might not survive in SOHO and SME market segments.

But, I feel Inline IDS are good bet for SOHO and SME segments and
since all the traffic passes through this, there is no issue of missing 
packets or data.  I also think that when enhanced with protection
(dropping
packets or connection ) capability, they are more attractive to this
market segment. Today, IDSes can be configured to inform Firewall, but
I don't think anybody seriously thinks that this solves all the
problems.
Having protection capability within the IDS provides more control or
accurate protection.

My opinion is that 'tap or sniff IDSes' may not survive longer (except 
in some minor market segment) and they are probably will be replaced
with Inline IDSes OR Inline IDS/IPSes.

Srini
Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Srinivasa Rao Addepalli" <srao () intotoinc com>
To: <focus-ids () securityfocus com>
Sent: Tuesday, June 17, 2003 8:32 PM
Subject: Recent anti-NIDS Gartner article


> One of the primary goals of IDSes (inline or otherwise) is to detect
> the intention of intrusions. Yes, it is true that Firewall with
> application intelligence protect the servers and infrastructure and 
> they are needed as part of comprehensive security solution.
>
> I understand from the report that, more resources in IS department
> are required to analyze the attacks. It is also true that today IDSes
> generate too many logs which turn out to be either false positives
> OR logs that are not applicable for that environment. Unless these
> problems are fixed, IDSes will demise over the time. 
>
> IDS technology is greatly improved in recent times with more and
> more IDS products coming out with application intelligence. These
> reduce the false positives. But, other problem that need to be fixed
> is specific to the deployment environment. IDSes should be 
> flexible to be tunable by the users such as deletion of un-wanted
> signature rules, modification of signature rules, setting up typical
> characteristics of traffic etc.. This might 
> sound like need for IT resources, but in the effort it takes to
analyze
> unwanted logs is significantly higher. 
>
>
> Thank you for your time.
> Srini
>
>
>
> Intoto Inc. 
> Enabling Security Infrastructure
> 3160, De La Cruz Blvd #100
> Santa Clara, CA 95054
> www.intotoinc.com

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------