IDS mailing list archives
[Suspected Spam]RE: Re: I love the smell of whining in the morning...
From: "Nelson Brito" <nbrito () sekure org>
Date: Thu, 10 Dec 2009 20:15:07 -0200
Sorry, Andrew, but I have do disagree. Each one of the IPSes you mentioned has its own approach and its own engine. This means different products are doing almost the same thing. I said almost because we can see that some of them moved forward to apply better protection mixed with better performance. What I saw, and am still seeing, is that some of them try to differentiate themselves using shared memory with multiples x86 CPUs (ISS & Sourcefire) and FPGAs with ASICs (Tippingpoint and McAfee). I am not assuming that this is better than that, the real thing is that if you can do something really good to protect against threats, so you are doing great. The point in this thread is that 5 years ago almost all of them got good results and now just one (I am not considering "that one" which got worse results than TP) got a really bad result. Times changes and in this case something changed in a bad sense. Real world threats can be simulated in lab environment, that is proofed in all security conferences we see nowadays. No one can proof something without test in lab, and if you get the NSS methodology you will see that the procedures and tests are really great to perform a score of good or bad IPS. So, what is the big deal if one of the IPS players got bad results? They will keep the marketing staff working hard to rise their market share anyway... I can tell you, based on my 8 years working and researching deeply the IPS world, that there are a lot of IPSes vulnerable to "one-to-four bytes" evasion techniques. And I am not talking about "black magic"... I am talking about really easy ways to do different things in different manners. /* * $Id: signature,v 1.2 2009-12-03 11:23:42-02 nbrito Exp $ * * Nelson Brito / Security Researcher / fnstenv.blogspot.com * Copyright(c) 2009 Nelson Brito <nbrito[at]sekure[dot]org>. */
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Andrew Plato Sent: Thursday, December 10, 2009 3:52 PM To: 'focus-ids () securityfocus com' Subject: RE: Re: I love the smell of whining in the morning... While NSS is a good organization, I have to wonder about a test that would rate TippingPoint so poorly and SourceFire and ISS so positively. My experience has been that while all are capable products, SourceFire and ISS take a LOT of effort to make them effective while TP, comparatively, takes much less effort. The article even mentions that fact, that Sourcefire took a lot of tuning. And having worked with all of these IPS, I have found that TP, SourceFire, ISS and McAfee are all pretty much the same in terms of effectiveness. This is also odd, since a few years ago, NSS was giving TP glowing reviews. From 2004, NSS wrote: "Overall the performance of UnityOne is very impressive, combining near- perfect security effectiveness with latency close to that of a layer 2 switch...we also found UnityOne to be very stable, surviving our extended reliability tests without missing a beat, and without blocking any legitimate traffic or succumbing to common evasion techniques." That is from their report in January 2004. Okay, that was 5 years ago, times change. One thing that always concerns me about these tests is the fact that they are laboratory-style tests and not real-world tests. Merely stopping an attack only one measure of effectiveness for an IPS. These devices must be made operational in a IT department. And they must integrate with other procedures, practices and devices. This is something a lab test cannot uncover. Andrew Plato, CISSP, CISM, QSA President/Principal Consultant Anitian Enterprise Security -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of wickedpokah () gmail com Sent: Wednesday, December 09, 2009 6:21 AM To: focus-ids () securityfocus com Subject: Re: Re: I love the smell of whining in the morning... This is what TP is referring to: http://www.networkworld.com/news/2009/120709-ips-tests.html?hpg1=bn I have seen the full report and it is fair to say that TP did very poor compared to the competition. This is really no surprise for those of us close to the industry who understand TP's heritage and approach. exploit driven coverage with limited evasion capabilities wrapped around a pretty UI is a recipe for security by obscurity. Well, at least they beat out Juniper :) Oh and NSS is probably the best and most neutral IPS testing body out there by far. This particular report is 100% independent and extremely comprehensive (the best I've seen to date) and includes coverage, performance, Evasion, and various TCO rankings. I *highly* recommend you obtain the report if you are interested and have the money to do so... ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f 194 ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f 194
----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: I love the smell of whining in the morning..., (continued)
- Re: I love the smell of whining in the morning... Graeme Lightbody (Dec 10)
- Re: I love the smell of whining in the morning... alfredhuger () winterhope com (Dec 08)
- RE: I love the smell of whining in the morning... Eric Hanselman (Dec 08)
- Re: I love the smell of whining in the morning... Mark Teicher (Dec 08)
- RE: I love the smell of whining in the morning... Greg Shipley (Dec 08)
- [Suspected Spam]RE: I love the smell of whining in the morning... Nelson Brito (Dec 10)
- RE: I love the smell of whining in the morning... Nelson Brito (Dec 10)
- Re: Re: I love the smell of whining in the morning... wickedpokah (Dec 09)
- Re: Re: I love the smell of whining in the morning... Mark Teicher (Dec 09)
- RE: Re: I love the smell of whining in the morning... Andrew Plato (Dec 10)
- [Suspected Spam]RE: Re: I love the smell of whining in the morning... Nelson Brito (Dec 10)
- RE: Re: I love the smell of whining in the morning... Greg Shipley (Dec 10)
- Re: RE: I love the smell of whining in the morning... bwalder (Dec 10)
- Re: RE: Re: I love the smell of whining in the morning... bwalder (Dec 10)
- RE: RE: Re: I love the smell of whining in the morning... Andrew Plato (Dec 10)
- Re: I love the smell of whining in the morning... Lawrence Pingree (Dec 14)