RE: IPS comparison

["Zahir, Rubayat" <rubayat.zahir () csfb com>]

Good Day Everyone, 
IDS/IPS has gotten much better in the industry, and sophisticated; Agreed, but so has attacks and vulnerabilties which 
has been the primary driver for their enhancement. In any event, my point to all was, IDS and IPS are great, as long as 
you have continuity in maintaining and monitoring them. My recommendation to all is to continuously scan the network 
and learn new attack methods, because new penetration tactics performed by hackers are devised to bypass your IDS/IPS. 
Especially if you look the codes and instructions of the codes and modification capabilities of those codes which allow 
you do so easily. Additionally, my example may have been outdated, but the technical facts still apply to modern 
attacks on the network. The mere thought of defending any single product for protecting/detecting attacks on one's 
network is an example of faulty thinking on one's part. IDS/IPS from any vendor cannot and will not be full proof ever. 
Most firms use them to reduce risk. But key is
to make sure you monitor the tools and have a dedicated staff to react to any major attacks and have a firm incident 
response procedure and team. Most importantly, where did you place your sensors is the key to architecting your IDS. 
You will be surprised, how thats done wrong. 
Thanks. 

Sincerely yours,
Rubayat M. Zahir



-----Original Message-----
From: James Williams [mailto:jwilliams () mail wtamu edu]
Sent: Friday, September 02, 2005 9:20 AM
To: Rubayat.Zahir () csfb com; focus-ids () securityfocus com
Subject: RE: IPS comparison


If you haven't used the Cisco IDS/IPS solution recently, maybe you
should. It's been greatly improved over the last couple of years. Also
Cisco DOES have IPS solutions that you can put on servers and on the
desktop that support Windows, Linux, and Solaris and they are working on
a Mac client, so I've been told.

Take a look at the Cisco IPS 4200 series appliances as well as Cisco CSA
and Cisco Clean Access.

Your facts are a bit misconstrued based on where the IDS/IPS market was
a couple years ago. I'm pretty sure that ALL products in the IPS/IDS
market have made huge leaps and bounds on how their product operates.

Code Red & Nimda were both worms from 2000/2001 when IPS technologies
were much younger technologies, whereas Slammer happened in early 2003.
In technology that's a lifetime of growth and maturity. Most IPS vendors
are using behavior based metrics to determine what an attack is and what
isn't. That make's it much easier for vendors to help mitigate zero day
attacks. The Cisco CSA blocked Blaster and the more recent Zotob without
any updates. It simply saw a behavior that wasn't normal and blocked it.

On my personal computer at my house I personally use Prevx. So far it's
turned out to be a great product. I've installed it on a fresh install
of a Windows XP computer and put it on the Internet unprotected and it
blocked all the known worms, such as blaster that reeked havoc for many
universities and companies in august of 2003.

Anyways, All I'm trying to say is that the IDS/IPS industry has gotten
much better at what they do best and I think allot of the material that
you are basing your comments off of are from at least 2 years ago.

James Williams, GISF
Network Systems Technician


-----Original Message-----
From: Rubayat.Zahir () csfb com [mailto:Rubayat.Zahir () csfb com] 
Sent: Thursday, September 01, 2005 1:40 PM
To: focus-ids () securityfocus com
Subject: IPS comparison

IPS/IDS can claim all they want on Zero Day exploits. I can assure you
its a player's luck. I had client during my Big X career who were saved
by ISS on SQL Slammer, and hit hard on Nimda and Code Red. Its really a
players luck. All IDS/IPS require full customization to your environment
(i.e. Applications, Code, Platforms etc.). Second of all, based on the
patterns I have seen, it is truly a variance among vendors (ISS,
Enterasys, Cisco, Snort, etc.). Lastly, the best of all IDS's are ones
that has the capability to perform attack correlations. 

Some IPSs are software (e.g. those from Computer Associates, McAfee,
Snort) that you run on your own servers (which may be Windows and/or
Linux-based), while others are dedicated appliances (including
SonicWALL, McAfee, Juniper and Cisco). Your company may have a policy
that limits you to one type or the other. 

To be frank, In many cases, IDS and IPS it's the same piece of kit,
that's just been re-categorised by the vendors - protection seems an
awful lot more marketable than just detection (especially if a detection
system just writes an alert to a log file that you only get a chance to
look at once a week).

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------


==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==============================================================================


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------