Re: IDS, IPS or just rubbish?

[Ravi <ravivsn () roc co in>]

Hi Jack Ryan,

Many firewall vendors including us, support this feature for a long time 
such as SMTP/FTP/POP3/IMAP command filtering, file filtering, HTTP URL,
method filtering, RPC program number filtering.

     I feel this capability is not a replacement for IDS/IPSes. 
Intrusion detection/protection systems provide misuse/exploit attempts 
apart from selectively terminating the connections

Regards
Ravi

--


The views presented in this mail are completely mine. The company is not
responsible for whatsoever.
------------------------------------------------------------------------
Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184

ROC home page <http://www.roc.co.in>

Jack Ryan wrote:
> I went to the local product launch of Checkpoint FW-1 Next Generation *Artificial Intelligence* the other day and was interested 
> to see that this technology is nothing more than a signature-based IDS that can pass stuff on to the firewall. Funnily enough 
> they call it "Active Defense" which is the same name NAI used to describe Cybercop talking to Gauntlet before they 
> dropped/sold the products.
>
> Checkpoint are pushing this patch to NG FP3 FW-1 as an all-in-one solution whereby you wouldn't need an IDS as well as a 
> firewall. In Hong Kong they have over 70% of the firewall market - their market penetration is similar worldwide - in order to 
> gain competitive advantage they are trying to crush the IDS/IPS market. Maybe they've been partying with Gartner.
>
> What's more they are lying through their teeth. I sat there and listened to them pull out terms like zero-day and 
> protocol anomaly detection which is simply them jumping on the bandwagon of quality solutions. It is signature-based, and 
> though Checkpoint will apparently notify you of any new threats you will still need to edit a text file so that the firewall 
> knows what they are.
>
> Their big push is that they are doing application-layer stuff now which anyone who knows firewalls will know is what Sidewinder, Gauntlet and Axent (Symantec) have been doing for years. FW-1 is a stateful packet filter - and probably the best there is in terms of enterprise management. However they are not analysing traffic at the application layer asides from a handful of signatures. They were saying that FW-1 NG AI is the only gateway solution of its kind. Symantec have had signature-based IDS combined with the *real* layer 7 Raptor firewall in their SGS box for ages. (performance aside.........) 
>
> They kept telling me about SQL Slammer and how this solution will stop it. What utter crap. Can anyone on this list tell me of a signature-based IDS which picked Slammer up in the 2-odd hours it needed to propogate? 
>
> There has been a lot of discussion here about the future of IDS - I think I've seen Checkpoint's vision....... Treat us all like fools. 
>
> Zero-day detection my ****. 
>
>
>
>
> _____________________________________________________________
> Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you () yourchoice com, No Ads, 6MB, IMAP, POP, SMTP & more! 
> http://www.everyone.net/selectmail?campaign=tag
>
> -------------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> -------------------------------------------------------------------------------







-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------