IDS mailing list archives
Re: IPS Vendor - Customer Experiences
From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 23 Jun 2006 14:38:11 +0200
gmariuz () msn com wrote:
Signatures...Are you kidding? You are looking for a signature based IPS?
Which would be the vast majority of IPSs around, but...
save yourself a huge hassle and cost....www.forescout.com
Let me see... quoting from the website:
ForeScout's solution has proven its accuracy by detecting in real-time
every self-propagating threat to date and has gained the trust of 100% > of our customers who use the appliances in automatic blocking mode. Wow, 100% detection on a non-declared base of worms to date ! That's impressive. And 100% of the customers (which may be 1, 2 or 100) use the appliance in automatic blocking mode... impressive indeed. So how is this wonder performed ? Let's see....
any unsanctioned reconnaissance presents a high potential for
malicious activity and can be used to identify attackers with 100% accuracy. Besides the fact that this is blatantly false (since you can generate a fictitious scanning activity on behalf of someone else, and since you can attack without doing reconnaissance directly, see "google hacking" for a clue on how real world things work), you still have a trouble. You have to detect "reconnaissance". And to detect reconnaissance, either you use signatures or anomaly detection methods. So, either way, what the page claims is not true.
ForeScout's patented Active Responseā¢ methodology
Which, like most patented methodologies, has been known to everyone since honeypots, network telescopes, arpd and the concept of black holes were developed years ago... Anyway, since it's patented, there is no need to be mysterious, isn't it ? So, I'd just love to be pointed out to scientific or technical whitepapers which describe the marvellous, complex algorithm that you have invented and that I cannot - currently - imagine to go beyond what you obtain by combining arpd, honeyd and a couple of scripts...
Appliances provide marked information to the inquiring source.
Which would be, for instance, faking the presence of a service ? Well, I never, ever met one of your customers, let alone of any prospects, but if asked for a preliminary opinion on this Patented Trademarked Technology I think I would borrow your own words: "Are you kidding ?!" Sincerely, Stefano Zanero ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IPS Vendor - Customer Experiences Sam (Jun 12)
- <Possible follow-ups>
- Re: Re: IPS Vendor - Customer Experiences abe . mohallim (Jun 13)
- Re: Re: IPS Vendor - Customer Experiences gmariuz (Jun 13)
- Re: IPS Vendor - Customer Experiences Stefano Zanero (Jun 26)