RE: IPS comparison

["Joseph Hamm" <jhamm () lancope com>]

> Fact is, anomaly detection is so rare that it's almost unexistant in
the commercial products, except for limited forms
> of "protocol anomaly detection" and for Arbor's peakflow technology. 

Not true!  The only reason this space hasn't gotten as much attention
over the last few years is cause everyone was busy buying signature IDS
and now IPS solutions.

Pure Network Anomaly Detection players:
Arbor
Lancope
Mazu
Q1 Labs
(All of these have been around for several years despite the lack of
industry attention to this space. Am I missing any new ones?)

Also, for a recent article on network anomaly detection systems (NADS),
check out this month's Information Security Magazine (cover story).  The
NADS space (this is only the latest acronym used to describe this group
of products), is starting to get more attention and press coverage.  You
will also find some articles that call these products NBAD (Network
Behavior Anomaly Detection) solutions.

Many security companies can detect "anomalies" in some form.  Almost
every security vendor has the word "anomaly" in their marketing
literature.  You need to understand what they mean by an "anomaly" and
how they detect them.  

"protocol anomaly detection" and "network anomaly detection" are two
different things although detecting network anomalies can include
protocol anomalies as well.  An IPS is a point solution, usually has
limited network visibility (unless you spend a fortune and deploy them
everywhere), and can only perform protocol anomaly detection (from what
I've seen).  In order to have the best NADS, you need complete network
visibility and an understanding of what is "normal" on your network.

Rolling out NADS generally requires less appliances than IPS (read less
cost) because one box can gather network info from multiple SPAN ports,
network taps, or get NetFlow/sFlow feeds from remote routers/switches.

Kind regards,
Joe

Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm () lancope com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.


-----Original Message-----
From: Stefano Zanero [mailto:s.zanero () securenetwork it] 
Sent: Monday, August 29, 2005 6:01 PM
To: Daniel Cid; Focus-Ids Mailing List
Subject: Re: IPS comparison

Daniel Cid wrote:
> This "anomaly" detection will only detect 0-day exploits for known 
> vulnerabilities.

A zero-day exploit is a curious marketing thing. You suddenly redefine a
difficult problem (catching zero-days) as a rather simpler problem
(create signatures that actually describe the vulnerability, which is
what any signature worth your licensing cost should do).

So, presto!, you can rush up and put out some rather nice marketing
material on it.

Fact is, anomaly detection is so rare that it's almost unexistant in the
commercial products, except for limited forms of "protocol anomaly
detection" and for Arbor's peakflow technology.

Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------