Re: Rather funny; looks like page defacement to me

["Robert Huber" <bob () swarmsecure com>]

I'll add fuel to the fire...

While IDS systems can be a burden on your staff for many of the reasons
cited, they also pay for themselves when you are tying to track down an
incident, or the latest outbreak of "name_your_worm".  For instance, in the
recent round of the MS SQL Server worm, "Slammer", we used our IDS to track
the flow of the worm within the company and were able to eradicate the worm
within minutes.  Without the IDS in place, we would not have known the worm
had even penetrated our networks for hours most likely.  If you compare that
to Code Red, where we spent many man hours trying to secure our networks,
which we have a cost associated with, we can show a significant savings by
having IDS to identify the Slammer worm.

I see several flaws in your article as well.  Such as "A taxing
incident-response process".  Surely, incidents must only happen with IDS
systems??  Incidents occur whether you have an IDS or not, and if you don't,
good luck trying to reconstruct the event using a firewall only.
"An inability to monitor traffic at transmission rates greater than 600
megabits per second ".  Hmm..., they aren't many organizations out there
going above 600Mbs, and if so, I can think of several solutions that can
deal with these speeds at ease, not to mention the fact that this speed will
not matter to my host based IDS.
"Firewalls are the most-effective defense against cyberintruders on the
network, and they are becoming increasingly better at blocking network-based
attacks," said Stiennon."  Please,,,, you can walk right through most
firewalls without an issue.  The market leader in firewalls is not an
application firewall, so I can tunnel anything through port 80.  Yes, they
have a newly built-in defense, but only with about 20 attacks they look for,
not to mention they can barely perform at gig speeds, so if they can't why
would I need an IDS that can?  Keep in mind that if your firewall is
blocking attacks, then it must look for them, which means in retrospect it
is performing intrusion detection analysis on the traffic  Do you think a
firewall will be able to look for thousands of variations of attacks and
still route traffic effectively at gig speeds?  That's probably why they
limit the number of signatures they have in their defense.
". . . vendors are now hyping intrusion prevention systems, which have also
stalled," said Richard Stiennon, research vice president for Gartner".
Isn't a firewall running some packet level IDS inspection performing IPS?
Isn't that what you are trying to push?  Then how can IPS be failing?  A
firewall with say, Smartdefense, is really IPS is it not?

They didn't even mention inline IDS systems such as Hogwash, RealSecure
Guard etc.....Funny how one organization can
change the landscape with such an article.
As previously mentioned, my organization pays to hear the thoughts of
Gartner, no matter how (in)accurate they may be...hook, line and sinker.

Bob

----- Original Message ----- 
From: <broyds () rogers com>
To: "Anton Chuvakin" <anton () chuvakin org>; <focus-ids () securityfocus com>
Sent: Friday, June 13, 2003 3:48 PM
Subject: Re: Rather funny; looks like page defacement to me


> In general, they are perfectly correct.
> Most IDS installations are very expensive packet sniffers because most
installations know so little about their enterprise network that they are
unable to tune it in any meaningful way or design and place the sensors to
monitor meaningful traffic.
>    I am not saying the IDS are always useless, but they are most useful as
part of a well designed network that partitions traffic so that there is a
good baseline understanding of what traffic should appear on each segment.
>    Interestingly, they denigrate Intrusion Prevention Systems and hail
firewalls, when an IPS is really a firewall with dynamically generated rule
set. Most of use would agree that an internal office network requires a
firewall between it and the Internet. The firewall normally only has a
static rule set that basically only guarantees that TCP virtual circuits
have correct TCP semantics and , for application gateways, that the traffic
follows the protocol RFC.  Most attacks these days are not at the layer
2/layer 3 level guarded by a firewall, but at layer 7 or above, using the
fact that Application protocols like HTTP, FTP, SMTP etc. have enough holes
in them that a perfectly standards conforming stream can be used to attack a
host at the end of the stream.
>   Most IDS are still installed by people who don't even understand TP/IP,
let alone HTTP, or the proprietary stuff coming from Real Networks or
Microsoft. How are they going to properly tune an IDS to avoid wasting a lot
of time and effort on false positives or, conversely, ignoring everything so
the IDS has no teeth.
>   So most IDS systems are a waste of money. They may be useful if they are
installed by a MSSP who actually understands security, but not by the
average sysadmin handed another box and told to install the IDS because the
auditors say we need one.
> > From: Anton Chuvakin <anton () chuvakin org>
> > Date: 2003/06/13 Fri AM 11:29:51 EDT
> > To: focus-ids () securityfocus com
> > Subject: Rather funny; looks like page defacement to me
> >
> > All,
> >
> > This link posted on the snort site. I figured I'd send it to the list,
> > since its a fascinating read.
> >
> > http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp
> >
> > My first impression was that it is a page defacement, so outrageous some
> > claims are. For instance, did you know that IDS actually _cause_
incident
> > response to happen? :-) Or this gem : "Money Slated for Intrusion
> > Detection Should Be Invested in Firewalls"?
> >
> > Best,
> > -- 
> >   Anton A. Chuvakin, Ph.D., GCI*
> >      http://www.chuvakin.org
> >    http://www.info-secure.org
>
> --------------------------------------------------------------------------
-----
> > INTRUSION PREVENTION: READY FOR PRIME TIME?
> >
> > IntruShield now offers unprecedented Intrusion IntelligenceTM
capabilities
> > - including intrusion identification, relevancy, direction, impact and
analysis
> > - enabling a path to prevention.
> >
> > Download the latest white paper "Intrusion Prevention: Myths,
Challenges, and Requirements" at:
> > http://www.securityfocus.com/IntruVert-focus-ids2
>
> --------------------------------------------------------------------------
-----
> >
>
>
>
> --------------------------------------------------------------------------
-----
> INTRUSION PREVENTION: READY FOR PRIME TIME?
>
> IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
> - including intrusion identification, relevancy, direction, impact and
analysis
> - enabling a path to prevention.
>
> Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at:
> http://www.securityfocus.com/IntruVert-focus-ids2
> --------------------------------------------------------------------------
-----
>


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------