funsec mailing list archives
RE: so, is I[dp]S a STUPID technology?
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Tue, 11 Oct 2005 16:53:21 -0400
I would have to agree with Paul Schmehl... Ok, let's start with the statement that Ridgely Evers makes and Richard Stiennon seconds along with Aviram Jenik: "IDS - that has got to be one of the stupidest technology ideas of all time." I don't know who Aviram Jenik is and I don't know about his background, so it's a bit hard to make a proper judgment. However, let's look at who Ridgely Evers and Richard Stiennon are. Do they really know what they are talking about? Are they really qualified to make a statement like that? I claim that they are not. They are business types that deal with the security technology at a very high level without true understand of its capabilities and limitations. There's a good chance they don't really understand what IDS technology is for. That's where Aviram joins these two guys as well when he says, 'I heard Richard say on more than one occasion "IDS is dead", and almost hugged him for it.' The phrase "IDS is dead" was popularized by the Gartner Group when the IPS technology started to emerge. That statement is really WRONG to begin with because the IPS technology is NOT A REPLACEMENT for the IDS technology. The goal of the IDS technology is to collect as much forensics information as possible... before, during, and after malicious/unauthorized activity takes place while the IPS technology is suppose to block malicious/unauthorized activity once it's detected. Anyways, going back to the main statement about IDS... saying that the IDS technology is one of the stupidest technology ideas of all time is plain silly just because it's not %100 effective. Nothing (and I repeat... NOTHING) in this world is %100 effective. Just because one technology is not %100 effective doesn't mean it's useless or stupid. Paul Schmehl said it perfectly... "*No* technology can solve *every* problem". That also applies not only to technology, but to any kind of solution that deals with any kind of problem. Let's imagine two worlds where in one IDS/IPS technologies exists and another where they don't. If you had to choose one of those worlds which one would you choose? As somebody who deals with IPS technology I also want to comment on the following statement made by Aviram: 'don't talk to me about IPS, please. Most of the IPS's are just IDS with blocking capabilities which means no one ever puts them in 'blocking' mode by default. The rest are usually so sophisticated their "AI" engines can't even stop an nmap connect scan.' It shows that Aviram doesn't much about the IPS technology and what it's for and how to use it. There's no technology that you just turn on and it works perfectly. Different tools are used for different tasks. These tools often need to be properly configured for specific environments. What's bad in one environment might be normal traffic in another environment. The flexibility some of those systems provide is necessary because each environment is different and unfortunately this technology still needs smart people to configure it and operate it. I'm not saying that all IPS products are perfect. They are not, but they are still useful tools. The statement, "Most of the IPS's are just IDS with blocking capabilities which means no one ever puts them in 'blocking' mode by default", is simply not true. It's definitely not based on real world statistics. While it's true that pretty much most IPS products that use signature technology or even protocol misuse technology do have rules that are sometimes disabled or set to detect, the majority of the IPS rules are usually turned on. It is true that it's common to deploy IPS products in bypass/detect mode initially, but it's only the initial phase used to fine tune the system. The point I was trying to make is that... nothing is simple and there's no perfect solution for most of the problems in this world including security. However, the existence of tools that help in one way or another is definitely better than having nothing at all... Kyle _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: so, is I[dp]S a STUPID technology?, (continued)
- RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Florian Weimer (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Valdis . Kletnieks (Oct 12)
- Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
- RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 12)
- RE: so, is I[dp]S a STUPID technology? Barrie Dempster (Oct 13)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 13)
- RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- lalala [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- Re: lalala [was: Re: so, is I[dp]S a STUPID technology?] Valdis . Kletnieks (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)