IDS mailing list archives
Re: Changes in IDS Companies?
From: Kevin Jones <kjmjones () yahoo com>
Date: 29 Oct 2002 17:07:28 -0000
In-Reply-To: <03EA8EE1BD1FAD46A6AB4525406795E12F4E34@ct2001.webcti.local> Well...Netscreen didn't *build* a NIPS, they bought one (OneSecure). And while everyone gets all excited about the possibility of inline IDS, many still are skeptical that the reality matches the marketing...yet. Intrusion Prevention IS a good idea, and will eventually be commonplace I suppose. Of course, it is not clear who will capture & dominate that market space. Both the firewall vendors (like Check Point's development of SmartDefense) and traditional IDS vendor (like RealSecure Guard) see this space as an emerging niche. The sentiment among the skeptics has a lot to do with the problems that have plagued NIDS for a long time - false positives (alerting on legit traffic), false negatives (not alerting on suspect traffic) and performance. The concern many have regarding IPS is that they have had to cut corners on the first two (attack recognition) in order to insure the IPS is not a performance bottleneck. It just seems unlikely that so many NIDS would struggle with being able to keep up with network traffic while not missing any intrusions, but IPS vendors have come along and solved that problem from the start. So what if they claim to process ~2 Gbps if they have immature intrusion analysis mechanisms? Until I see some IPS systems undergo some rigorous testing (like Neohapsis OSEC) to separate the hype from the reality, I remain skeptical. Only RealSecure & Intruvert have been certified to date, but not the RS Guard product. IntruShield is an inline IDS, but is quite expensive (~$100K). However, I agree that once the technical hurdles are overcome (& they will be), NIPS will begin to displace NIDS...But then encryption will pose an increasing problem. For that reason, HIPS will become more necessary, but also firewall/IDS/VPN systems will make sense as key checkpoints (literally) in the network...thus the move by Check Point & Netscreen. Firewall & IDS (& AV too) vendors ally/acquire partners on the other side, and those that don't will be left out. Thus, the changes in IDS companies as referenced in the original message in this thread.
Initially I would tend to agree that HIPS would move more rapidly, but then a big firewall player like Netscreen builds a NIPS. My guess would be all the other firewall appliance players are scrambling to come up with a nice neat little device that works similar. I know WatchGuard has an IDS intergration tool already. It's actually just a command line program that auto-blocks on the appliance given certain output. I've been trying to implement it with Snort in a test bed scenario and would be very surprised if it wasn't integrated and expanded on the firebox line into a true NIPS in the future. Other to quickly follow? M. Dante Mercurio, CCNA, MCSE+I, CCSA dmercurio () ccgsecurity com Consulting Group Manager Continental Consulting Group, LLC www.ccgsecurity.com
Current thread:
- Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? Matt Harris (Oct 28)
- Re: Changes in IDS Companies? Aaron Turner (Oct 28)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)
- Re: Changes in IDS Companies? Matt Harris (Oct 31)
- Re: Changes in IDS Companies? J. Foobar (Oct 31)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Martin Roesch (Oct 31)