Re: Changes in IDS Companies?

[Kevin Jones <kjmjones () yahoo com>]

In-Reply-To: <03EA8EE1BD1FAD46A6AB4525406795E12F4E34@ct2001.webcti.local>

Well...Netscreen didn't *build* a NIPS, they bought one (OneSecure).  And 
while everyone gets all excited about the possibility of inline IDS, many 
still are skeptical that the reality matches the marketing...yet.  
Intrusion Prevention IS a good idea, and will eventually be commonplace I 
suppose.  Of course, it is not clear who will capture & dominate that 
market space.  Both the firewall vendors (like Check Point's development 
of SmartDefense) and traditional IDS vendor (like RealSecure Guard) see 
this space as an emerging niche.  

The sentiment among the skeptics has a lot to do with the problems that 
have plagued NIDS for a long time - false positives (alerting on legit 
traffic), false negatives (not alerting on suspect traffic) and 
performance.  The concern many have regarding IPS is that they have had to 
cut corners on the first two (attack recognition) in order to insure the 
IPS is not a performance bottleneck.  It just seems unlikely that so many 
NIDS would struggle with being able to keep up with network traffic while 
not missing any intrusions, but IPS vendors have come along and solved 
that problem from the start. So what if they claim to process ~2 Gbps if 
they have immature intrusion analysis mechanisms?  Until I see some IPS 
systems undergo some rigorous testing (like Neohapsis OSEC) to separate 
the hype from the reality, I remain skeptical. Only RealSecure & Intruvert 
have been certified to date, but not the RS Guard product.  IntruShield is 
an inline IDS, but is quite expensive (~$100K). 

However, I agree that once the technical hurdles are overcome (& they will 
be), NIPS will begin to displace NIDS...But then encryption will pose an 
increasing problem. For that reason, HIPS will become more necessary, but 
also firewall/IDS/VPN systems will make sense as key checkpoints 
(literally) in the network...thus the move by Check Point & Netscreen.  
Firewall & IDS (& AV too) vendors ally/acquire partners on the other side, 
and those that don't will be left out.  Thus, the changes in IDS companies 
as referenced in the original message in this thread.

> Initially I would tend to agree that HIPS would move more rapidly, but
> then a big firewall player like Netscreen builds a NIPS. My guess would
> be all the other firewall appliance players are scrambling to come up
> with a nice neat little device that works similar.
>
> I know WatchGuard has an IDS intergration tool already. It's actually
> just a command line program that auto-blocks on the appliance given
> certain output. I've been trying to implement it with Snort in a test
> bed scenario and would be very surprised if it wasn't integrated and
> expanded on the firebox line into a true NIPS in the future.
>
> Other to quickly follow?
>
> M. Dante Mercurio, CCNA, MCSE+I, CCSA
> dmercurio () ccgsecurity com
> Consulting Group Manager
> Continental Consulting Group, LLC
> www.ccgsecurity.com