Snort mailing list archives
RE: Re: [Snort-devel] IDS vs IPS
From: "Bob Walder" <bwalder () spamcop net>
Date: Mon, 1 Sep 2003 19:02:30 +0200
Frank, At last.... A voice of sanity and reason However, I will take issue with one part of your reply - why do we have to abandon the term at all? It has been grabbed - for better or worse - by a particular group of vendors to refer to a particular group of products. And I don't think the term is that wide of the mark. If you are going to get all precious about it, why not decide that IDS is not a good term, is marketing fluff, because it should really be ICDSIBMNAOTASOTOIDDMBFP (I Can Detect Some Intrusions But Not All Of Them And Some Of The Ones I Do Detect Might Be False Positives)... Not as catchy though, is it? We are getting into the realms of The European Community and its ridiculous assertions that bananas should be straight and The Brits are no longer allowed to call their ice cream "ice cream" 'cos there is actually no cream in it - instead it should be known as Non Fat Dairy Substitute or some other similar ridiculous term. So, now we have IDS (or NIDS), and HIDS, and IPS (or NIPS) and HIPS... And we have firewalls, of course... And routers... And ACLs... And everyone knows what all these things do (and all of them could be said to have elements of "intrusion detection" and "intrusion prevention" in them if we look hard enough). So get over it. When we finally DO get our wonderful converged product which everyone is waiting for and which is the best of the firewall/IDS/IPS world with built in anti virus checker, content scanner and coffer maker, then you can call it the All Singing All Dancing Gateway Security Appliance - or the Firewall Intrusion Detection and Prevention Appliance - or whatever other marketing term you like. And then we can all argue about THAT one for weeks on end because someone decides it can't be "all singing and all dancing" unless it has a CD player in it and comes with a free pair of tap shoes. Regards, Bob
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: 01 September 2003 18:37 To: Mark Teicher Cc: Jeff Nathan; Jason Sheffield; Crumrine Gary L; Jason; bwalder () spamcop net; Vkmobile () aol com; snort-devel () lists sourceforge net; snort-users () lists sourceforge net; jon.brody () sygate com; cklaus () iss net Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS I'll cut down to gist of it... On Sun, 2003-08-31 at 10:32, Mark Teicher wrote:Jeff said: As it relates to computer networks, IPS would have to be gateway intrusion detection (aka in-line intrusion detection). Indeed, if afirewall vendorthinks they're moving into this space I'd love to hearabout their designand implementation. Also, if a company is moving into this space exclusively I'd love to hear about their technology. Mark said: Another inline device. Jeff, Are you stating that an enterprise organization should trust an IPS vendor by allowing to put their hardware/software inline with their network connectivity,be it external orinternal??I think this is a good example for the reason this discussion is going nowhere. We should be debating what an IPS is from a technical perspective. Instead we argue if they are good or bad, and how good, how bad. We should leave personal opinion and qualitative statements out of the discussion and focus on the definition. Now we all agree that certain implementations are flawed while others show promise. We understand that putting too much faith into a product that sits inline, is a choke point, may not be a good idea. Other may argue that firewalls do that so it's okay. Let's not get hung up on those issues. Let's get back to the definition. We also acknowledge that Intrusion Prevention System is mostly a marketing term. Before the Prevention buzz word was thrown in, these things were called Gateway IDS for lack of a better word. Today Intrusion Prevention Systems include a wider variety than just GIDS. HIPS comes to mind, so I guess we would have to disect what a HIPS (Host IPS) is and what qualifies to deserve that name. Theoretically *any* countermeasure could be called a Prevention system. A hardened OS prevents intrusions. Are the Bastille scripts an IPS? Is SecureIIS or similar wrappers an IPS? Perhaps by discussion this down the right path we can show reasonably well that the term is flawed, and perhaps through a collaborative paper on the term of IPS we can convince the users/admins/buyers as well as the vendors/market/industry to abandon use of that name...... Yeah, a pipe dream.... but worth trying? If not, we don't even need to argue here. Let's give our discussion a purpose or let it die. Cheers, Frank
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS, (continued)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Georges J. Jahchan, Eng. (Aug 29)
- Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 29)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 29)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Sep 01)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Sep 02)