IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: Mark Teicher <mht3 () earthlink net>
Date: Fri, 14 Apr 2006 07:54:27 -0400 (GMT-04:00)
There are other several other issue not discussed in this thread. Some of the easier to deploy products may not produce user-friendly, pointy haired management type reports as compared to the commercial products. But again, some commercial products miss the boat on reporting on concentrate mostly on speed or number of signatures it is in the product, whether speed or number of signatures in an organization's mind is the checkbox why the bought the particular flavor of IDS/IPS. Speed and number of signatures does not necessarily mean that the particular flavor of IDS/IPS will catch the new fangled vulnerability that has just been released to the wild or trigger on a Sun-RPC port mapper. -----Original Message-----
From: Andrew Plato <andrew.plato () anitian com> Sent: Apr 11, 2006 11:53 AM To: Eric Hines <eric.hines () appliedwatch com> Cc: focus-ids () securityfocus com Subject: RE: IDS vs. IPS deployment feedback As I said to Alan: we all sell what we know. I sell what I know. You sell what you know. Commercial, open source, closed, open, lost, found, black, white - whatever. Organizations should pick the best solution for their environment. That much said, I realize it is pretty much high treason to speak badly of an open source product on the Internet. I have angered the Gods of Open Source before. This time is no different. An unanalyzed IDS/IPS isn't very useful. That is the core problem. Without analytical capability, the value and effectiveness of any security product is reduced. Many organizations have scant IT resources. As such, any technology that has significant resource requirements is usually passed over for those that can simplify security while extending the capability of a small IT staff. Nobody is arguing the technical merits of Snort, but its an established fact that it tends to be more resource intensive than its commercial partners. This is true of all open source products. They tend to be more "raw." That is why there are COMMERCIAL companies, like yours Eric and like SourceFire that have made Snort more palatable to enterprises. In this sense, you are no different than 3com, McAfee, ISS, etc. You're simply making a technology easier to use. Eric, you and Alan are no different than me. You're just hawking a different product. Doesn't matter if the sensor is Snort or Proventia. You sell what you know, I sell what I know. Furthermore, the "I can see a signature so its better" argument just doesn't fly at a lot of businesses. Again, most IT people do not have the time to analyze and write signatures. Just as companies outsource their PC manufacturing, phone centers, and Internet connection - they outsource their security protections. They trust a commercial vendor to handle this problem. I can't see that the jet fuel Delta puts in a plane, but I trust Delta to use real jet fuel. So, I can trust Delta with my life, but I can't trust ISS or McAfee to write a IPS signature? Yeah. Whatever. If you feel better seeing the signatures and their content, then by all means - get thee to a Snort box. But, for many IT groups, this just isn't a significant selling point. Ease of use, timeliness of new signatures and reliability are typically more important factors. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security -----Original Message----- From: Eric Hines [mailto:eric.hines () appliedwatch com] Sent: Monday, April 10, 2006 3:13 PM To: Alan Shimel Cc: Andrew Plato; 'Will Metcalf'; focus-ids () securityfocus com; Applied Watch Development; sales () appliedwatch com Subject: Re: IDS vs. IPS deployment feedback -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with Alan here. Andrew, I've watched several of your posts now over the past months and on several occasions bit my tongue, but I do have to step up here. You represent several COTS (Commercial off-the-shelf) IPS vendors and have admitted to, so please be careful when posturing them against open source tools such as Snort -- know what you're talking about when it comes to Snort's capabilities if you are going to make claims as to what its unable to do when compared to COTS solutions. _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback, (continued)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 15)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Apr 13)
- RE: IDS vs. IPS deployment feedback Gary Halleen (ghalleen) (Apr 13)
- Re: IDS vs. IPS deployment feedback Randal T. Rioux (Apr 18)
- Re: IDS vs. IPS deployment feedback Frank Knobbe (Apr 13)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Biswas, Proneet (Apr 15)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Mark Teicher (Apr 15)
- RE: IDS vs. IPS deployment feedback PPowenski (Apr 19)
- Re: IDS vs. IPS deployment feedback virtuale (Apr 21)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)