IDS mailing list archives
RE: Recent anti-NIDS Gartner article
From: "Hall, Andrew (DPRS)" <AndrewR.hall () aph gov au>
Date: Thu, 19 Jun 2003 09:13:46 +1000
Question - how may SOHO or SME clients have the money to purchase both a suitable inline IDS and pay to have a suitable admin set it up and maintain it? They are either going to end up with an very open sig set which is really adding little functionality or a sig set which will block heaps of legitimate traffic. I argue that a traditional IDS gives you three main things ... Trending, forensics and event notification ... All of which an SME/SOHO client will not be able to take advantage of. They probably will not look at the events/logs themselves, or understand them for that matter. Again, they will not spend the $$ to have someone else come in and interpret the logs either. Chances are as well that they will not event keep their logs so there is little forensic and post event analysis possible. IDS vendors need to target those markets which will spend the time and money to do IDS properly ... And I do not believe that the SOHO/SME market is a suitable market for this. If the SOHO/SME market truly want IDS then they should look to the managed security provider. I argue that the future for IDS is with MSPs / large gateways who have the economy of scale in deployment, monitoring, skill sets and vendor relationships. It is in these MSP / large gateway environments that sniff and tap IDSs will still be of use for gathering data used for trending and forensic purposes - and who have the power to analyse and produce something useful from these tools. Overall, I argue that the technology is still a fair way off until you could safely drop an inline IDS into a relatively unmanaged network and expect it would work with little money and little administration costs. Andrew -----Original Message----- From: Srinivasa Rao Addepalli [mailto:srao () intotoinc com] Sent: Thursday, 19 June 2003 4:05 AM To: Srinivasa Rao Addepalli; focus-ids () securityfocus com Subject: Re: Recent anti-NIDS Gartner article After seeing this article, I got several requests on what I think about this article (press release) and applicability of IDSes in different market segments. So, I thought I would expand on my previous email. IDSes which sniff or tap of the network, have several disadvantages - They might miss detection of exploits/attacks/intrusions. - They are too many ways to bypass Detection. - Need expensive hardware for good performance and detection rate. Due to this, these might not survive in SOHO and SME market segments. But, I feel Inline IDS are good bet for SOHO and SME segments and since all the traffic passes through this, there is no issue of missing packets or data. I also think that when enhanced with protection (dropping packets or connection ) capability, they are more attractive to this market segment. Today, IDSes can be configured to inform Firewall, but I don't think anybody seriously thinks that this solves all the problems. Having protection capability within the IDS provides more control or accurate protection. My opinion is that 'tap or sniff IDSes' may not survive longer (except in some minor market segment) and they are probably will be replaced with Inline IDSes OR Inline IDS/IPSes. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com ----- Original Message ----- From: "Srinivasa Rao Addepalli" <srao () intotoinc com> To: <focus-ids () securityfocus com> Sent: Tuesday, June 17, 2003 8:32 PM Subject: Recent anti-NIDS Gartner article
One of the primary goals of IDSes (inline or otherwise) is to detect the intention of intrusions. Yes, it is true that Firewall with application intelligence protect the servers and infrastructure and they are needed as part of comprehensive security solution. I understand from the report that, more resources in IS department are
required to analyze the attacks. It is also true that today IDSes generate too many logs which turn out to be either false positives OR logs that are not applicable for that environment. Unless these problems are fixed, IDSes will demise over the time. IDS technology is greatly improved in recent times with more and more IDS products coming out with application intelligence. These reduce the false positives. But, other problem that need to be fixed is specific to the deployment environment. IDSes should be flexible to be
tunable by the users such as deletion of un-wanted signature rules, modification of signature rules, setting up typical characteristics of
traffic etc.. This might sound like need for IT resources, but in the effort it takes to analyze unwanted logs is significantly higher. Thank you for your time. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com
------------------------------------------------------------------------ ------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Re: Recent anti-NIDS Gartner article, (continued)
- Re: Recent anti-NIDS Gartner article Stephen P. Berry (Jun 18)
- RE: Recent anti-NIDS Gartner article Reverman, Peter C (Jun 17)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 18)
- Re: Recent anti-NIDS Gartner article Michael Sierchio (Jun 18)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 22)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 19)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- RE: Recent anti-NIDS Gartner article Hall, Andrew (DPRS) (Jun 19)
- RE: Recent anti-NIDS Gartner article Paul Benedek (Jun 22)
- Re: Recent anti-NIDS Gartner article Richard Ginski (Jun 19)