IDS mailing list archives
RE: Is IDS/IPS worthless?
From: "Bob Walder" <bwalder () spamcop net>
Date: Tue, 24 Feb 2004 06:49:01 +0100
For those confused about the meaning of IPS or its usefulness, our latest competitive analysis report looks at some of the market leaders in that area and attempts to answer at least some of the questions It can be viewed on-line at www.nss.co.uk/ips Regards, Bob Walder Director The NSS Group
-----Original Message----- From: SecurIT Informatique Inc. [mailto:securit () iquebec com] Sent: 23 February 2004 19:36 To: Andrew Plato Cc: focus-ids () securityfocus com Subject: Re: Is IDS/IPS worthless? Hello. I thought I'd chip in my 2 cents... First of all, I think that there is some confusion building around the terms IDS and IPS, and the Gartner report is probably one of the main reasons for that, along with vendor's marketing pitches. Without having a clear definition of these two terms, it becomes futiles to determine if they are useful or not. IPS seems to mean "firewalls with IDS built-in", but in this definition, I think it is too limiting to what an IDS really is; an IDS is not only a NIDS, but also HIDS, anomally based, log analysis, etc... Also, I simply don't see how someone could move "IDS" capabilities into a firewall and end-up with a similar security level than by using a more traditional, decentralized approach. For example, how can an IPS check for system binaires integrity on the hosts on your network? Now, with that being said, I think it is just plain misleading to speak of IDS/IPS in the same sentence, as I've showed demonstrated clearly that an IPS could be more seen as an evolution of the traditional NIDS setup. While I don't have much faith in IPS as they are presented today, I don't think that the fate of IDS at large is not linked to the future success or failure of IPS technology. I have developped a whole series of tools in the only goal of improving ways to detect intrusions using new techniques that can be built around an existing security architecture. I wrote an article on this whole topic, which is yet to be released as it is planned for presentation at some conferences this year, and I have submitted it to SecurityFocus on numerous tries, but with no news from them so far. I plan to release it in 1-2 months from now. To finish, I'd just say that I really don't think that IDS is dead, it is just going to evolve, and I've been trying hard at implementing some of these evolutions myself in the Windows world. Just don't be surprised that if someone tries to sell you a cometitive product to IDS'es, then they'll try to downplay the role of IDS technologies in order to make their own product look good. At this point, it is up to everybody and make their own decisions in this debate, and see the real trends out of the pure marketing hype. MHO Adam Richard SécurIT Informatique Inc. http://securit.iquebec.com/ At 11:31 AM 20/02/2004, Andrew Plato wrote:I've noticed something lately and I wonder if anybody else has experienced this. At a meeting recently, I was told by a number of people that IDS/IPS is a "worthless waste of IT resources" and "providing no real value to an organization." The speaker at this particular meeting challenged me to say "what businessgoals did theimplementation of an IDS/IPS achieve?" I responded that anIDS givesinsight to what is happening on a network and providescritical data tomore effectively focus resources on real problems. An IPS builds a level of trust and protection from intrusions as well asinsight intothe function and behavior of a network. (Okay, it was avanilla answer,I admit.) So this speaker then challenged me to come up withverifiable metrics.I replied that he would have to define what metrics hewants? What doeshe consider a "viable metric" for performance. He said"did they sellmore products, make more money?" I replied "why is that the only metric that businesses can understand? A lot of complexthings go into'making money' and IT operations is a small part of that.Marketing,strategic vision, and many other factors have a much more profound impact on 'making money' than a single IT securitysolution. However,insight into operations and security is a criticalcomponent of IT. Howdo you know you have been broken into if you don't have anymechanismsto detect those intrusions? There is clear value ininvestment in locksand security cameras, why not have similar investments intothe digitalequivalents." This shut him up, for a while, but it highlighted a growingtrend I amnoticing. It seems like there are a lot of people with anagenda rightnow to shoot down the value of IPS/IDS technologies. IPS inparticularseems to be painted as a "marketing ploy." I also hear thestory "theybought and IDS and it just sat in a rack and did nothing" a lot (usually from people who don't even know what an IDS does.) What is happening here? Anybody have any idea why there isa growing"anti-IDS" attitude. Is it the failure of IDS to producevalue in anorganization? Is the Gartner "IDS is dead" report having THAT much affect on the industry? Are the IDS vendors victims of their own over-marketing? Am I a paranoid moron? I am curious to hear other people's ideas on and strategiesfor dealingwith these objections. ___________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 298 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 99143582 633D GPGpublic key available at: http://www.anitian.com/corp/keys.htm --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall withSpam/Virus ProtectionProtect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 --------------------------------------------------------------------------- _____________________________________________________________________Un mot doux à envoyer? Une sortie ciné à organiser? Faitesle en tempsréel avec MSN Messenger! C'est gratuit!http://ifrance.com/_reloc/m
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- RE: Is IDS/IPS worthless?, (continued)
- RE: Is IDS/IPS worthless? Bénoni MARTIN (Feb 23)
- RE: Is IDS/IPS worthless? Jeff McLaughlin (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Robert Jackson (Feb 23)
- RE: Is IDS/IPS worthless? Cure, Samuel J (Feb 23)
- Re: Is IDS/IPS worthless? Webb Wang CS (Feb 23)
- RE: Is IDS/IPS worthless? DeGennaro, Gregory (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Bell, Gregory (ISS Atlanta) (Feb 23)
- IDS/IPS Value Chuck Jenson (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 24)
- RE: Is IDS/IPS worthless? Andrew Plato (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 26)