RE: IDS, IPS or just rubbish

[James Cutter <JamesCutter () thedoghousemail com>]

I was in one of their partner events as well. It looks to me like you misunderstood their point. 

They do not have many signatures. In fact, they do not claim to be a signature based company. They do claim to provide 
protection by understanding the protocols and applications. 
How many firewalls you know that understand HTTP1.1 (really understand, including the ability to catch different http 
requests on the same connection, chunks, retransmissions etc) How many firewalls are able to protect in day zero 
against double http header attacks, webDAV attacks etc.

Even with the signatures that they do have, they perform aggressive matching against different encoding and regular 
expression matching. Adding the fact that they do IP fragments checks for all IP traffic (and not only port 80) and 
reassemble TCP streams - i think that they can be called intelligent. (and according to their claims, most of the work 
is done in the kernel, with expected of 3% performance lost. Even if I don’t take this as they claim, it is better than 
any system I know. Believe me, I know. ) 

I do think that they need to improve their configuration and documentation. Right now, fools can not use their systems 
(without using us, the system integrators). It is too difficult. One should define resources set different properties 
and so on.
For the first time in several years, i think that my customers understand why checkpoint claims to be superior. All I 
need to do is demonstrate HTTP 1.1 penetration with other firewall systems. 

If I understand their vision, they are going further with non-signature policy

BTW, my customers are using their SQL Inspect fixes. They were able to operate while the worm was hitting them. How 
many other vendors offer this ? 

I recommend my customers to keep using IDS. I think that there is a need for event correlation technology . again, 
checkpoint is not a signature company.


Jack Ryan said: 
I went to the local product launch of Checkpoint FW-1 Next Generation *Artificial Intelligence* the other day and was 
interested to see that this technology is nothing more than a signature-based IDS that can pass stuff on to the 
firewall. Funnily enough they call it "Active Defense" which is the same name NAI used to describe Cybercop talking to 
Gauntlet before they dropped/sold the products.

Checkpoint are pushing this patch to NG FP3 FW-1 as an all-in-one solution whereby you wouldn't need an IDS as well as 
a firewall. In Hong Kong they have over 70% of the firewall market - their market penetration is similar worldwide - in 
order to gain competitive advantage they are trying to crush the IDS/IPS market. Maybe they've been partying with 
Gartner.

What's more they are lying through their teeth. I sat there and listened to them pull out terms like zero-day and 
protocol anomaly detection which is simply them jumping on the bandwagon of quality solutions. It is signature-based, 
and though Checkpoint will apparently notify you of any new threats you will still need to edit a text file so that the 
firewall knows what they are.

Their big push is that they are doing application-layer stuff now which anyone who knows firewalls will know is what 
Sidewinder, Gauntlet and Axent (Symantec) have been doing for years. FW-1 is a stateful packet filter - and probably 
the best there is in terms of enterprise management. However they are not analysing traffic at the application layer 
asides from a handful of signatures. They were saying that FW-1 NG AI is the only gateway solution of its kind. 
Symantec have had signature-based IDS combined with the *real* layer 7 Raptor firewall in their SGS box for ages. 
(performance aside.........) 

They kept telling me about SQL Slammer and how this solution will stop it. What utter crap. Can anyone on this list 
tell me of a signature-based IDS which picked Slammer up in the 2-odd hours it needed to propogate? 

There has been a lot of discussion here about the future of IDS - I think I've seen Checkpoint's vision....... Treat us 
all like fools. 

Zero-day detection my ****. 




_____________________________________________________________
Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com, No Ads, 6MB, IMAP, POP, SMTP & more! 
http://www.everyone.net/selectmail?campaign=tag

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------



_____________________________________________________________
Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com, No Ads, 6MB, IMAP, POP, SMTP & more! 
http://www.everyone.net/selectmail?campaign=tag

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------