Re: Changes in IDS Companies?

[Martin Roesch <roesch () sourcefire com>]

On Tuesday, October 29, 2002, at 12:07 PM, Kevin Jones wrote:
[much snipped]

> However, I agree that once the technical hurdles are overcome (& they 
> will
> be), NIPS will begin to displace NIDS...But then encryption will pose 
> an
> increasing problem. For that reason, HIPS will become more necessary, 
> but
> also firewall/IDS/VPN systems will make sense as key checkpoints
> (literally) in the network...thus the move by Check Point & Netscreen.
> Firewall & IDS (& AV too) vendors ally/acquire partners on the other 
> side,
> and those that don't will be left out.  Thus, the changes in IDS 
> companies
> as referenced in the original message in this thread.

Actually, I think if the promise of NIPS is realized, if it replaces 
anything it will replace *firewalls*, not NIDS.  The monitoring need is 
not removed by NIPS, the stateful packet filtering/access control need 
is.  To recap my view on this one, if your NIPS fails (false 
negative/fail open) you're going to need an IDS to let you know what's 
going on.  Additionally, there's going to be a need to monitor traffic 
that doesn't pass through the gateway (internal <-> internal traffic) 
that isn't going to go away.

Why do you think the firewall companies are moving on this so fast 
(c.f. Netscreen/CheckPoint).


     -Marty


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org