IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to choose an IDS/FW MSS provider

From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Wed, 16 Mar 2005 16:25:38 -0500
Martin Roesch wrote:


A few comments:
1) Open "signatures" are about trust, if people have no idea why or how and IDS is doing what it's doing then when the false positives inevitably pop up the user has absolutely no clue what has happened. I find that to be one of the most annoying things about using other people's IDS technologies, their opaqueness drives a constant nagging doubt that the system is configured and working properly. IMO that's one of the reasons that Snort is as popular as it is, people know how and why it does what it does (for better or worse) and the transparency allows them a certain level of comfort that they're in control of and can trust the system instead of the other way around.
Actually Marty, I think the reason Snort is so popular is because it's freely available, not becuase your signatures are open. I can tell you that NFR does not have nearly the userbase that Snort has, and yet, our signatures are openly readable... The difference? NFR is not a free product. Back in pre-2000, when NFR had the research and development version of the product available for free, we had a ton of downloads of the free product. It had nothing to do with the open signature language we use... it was simply the fact that it was free.
2) If a "signature" is written properly then evading it will be non-trivial. This all falls into the "writing the signature for the vulnerability instead of the exploit" thing that we argue about around here from time to time. I don't think knowing what someone is looking for does a whole lot if there's no way to avoid tripping it in the course of an exploit.
3) Snort has had 2 remote exploits (buffer overflow and integer overflow leading to heap overflow on certain platforms) and a 2-3 DoSes due to protocol handler mistakes in 6.5 years. ISS has had at least that many over the years and a resultant worm to boot. Did being closed really help them all that much? I think that developing in the open forces us to be a little more careful than we might otherwise be, but I think that over time being open leads to a more secure codebase due to the exposure to the "elements" that it entails.
I agree with your comments about writing good signatures. We released a whitepaper a couple of years back in an effort to teach people how to write good signatures using the NFR product, and even though we've had our signatures openly readable since day 1, we've never had a remote exploit. (well okay, we didn't actually have signatures on day 1, but you know what i mean. ;) ) 


Anyway, just my $0.02, hope it was interesting.

     -Marty

On Mar 12, 2005, at 8:54 AM, David W. Goodrum wrote:
I think it's interesting how this is an unwinnable argument for any vendor. At NFR our signatures are openly readable by our customers, but we've heard the exact opposite argument of what you are presenting here: "A potential hacker can read how the signatures work, and use that information to try to evade the IDS". So, if we appeased them, we'd close our signature base, and then we'd be hearing it from the other side of the house. This is a no-win situation for the vendor. We've tried to appease both sides by not having our sigs "publicly" available, but all a really determined hacker has to do is buy our product to read the signatures. So, before you ask ISS to release their codebase for their signature set, you might want to think about what the full consequences of that would be. Snort has had 2 or 3 remote exploits. The only reason this was possible is because their entire product is totally open to the world. I doubt ISS wants to open themselves up to that type of publicity. :) 

-dave

Jeff Boggie wrote:
No, the lack of visibility into ISS signature content is a major bone of 
contention in my shop.

-----Original Message-----
From: Brady, Rick [mailto:Rick.Brady () LibertyMutual com] Sent: Wednesday, March 09, 2005 5:08 PM 
To: Melih Kirkgöz (Koç.net); Stephane; focus-ids () securityfocus com
Subject: RE: How to choose an IDS/FW MSS provider


Melih,
I guess you must be special to ISS, from my experience the support has been sub-par. Also do you like the idea that ISS IDS signatures are not known to 
the customer and only ISS ?
Rick Brady
Liberty Mutual Group
I/S TSSS Engineering Network Access Control
mailto:rick.brady () libertymutual com
(603) 245-4214   8-435-4214sdn
-----Original Message-----
From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net] Sent: Tuesday, March 08, 2005 2:22 AM 
To: Stephane; focus-ids () securityfocus com
Subject: RE: How to choose an IDS/FW MSS provider
Importance: High

Hello Stephane,
We have been using ISS since last two years.(50 Server Sensor,15 Network 
Sensor,1 Proventia G 100 IPS),managed by SiteProtector. We tested
Netscreen,ISS,Radware,NAI Intrushield and Checkpoint during our evaluation period for intrusion detection/prevention systems. Strong level of expertise 
and good technical support was one of the big reasons choosing ISS.

-----Original Message-----
From: Stephane [mailto:stephane.d () ecologie net] Sent: Monday, March 07, 2005 12:42 PM 
To: focus-ids () securityfocus com
Subject: How to choose an IDS/FW MSS provider

Dear All,
How do I choose an IDS/IPS provider if I need a strong level of expertise 
24x7x365 and a worldwide representaion? I need it on Netscreen, PIX,
CheckPoint and ISS Realsecure and Proventia.

Thank you,

S.
---------------------------------------------------------------------- ---- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
---------------------------------------------------------------------- ---- ______________________________________________________________________ ______ _________________________________________________________________ Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde 
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta
mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj
kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak 
yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol
ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu kabul etmez. This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain confidential information. If you are 
not the intended recipient of this message or you receive this mail in
error, you should refrain from making any use of the contents and from
opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the presence of computer viruses. In doing so, however, sender cannot warrant that virus or other forms of data corruption may not be present and do not take any responsibility in any occurrence. ______________________________________________________________________ ______ 
_________________________________________________________________
---------------------------------------------------------------------- ---- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------- ----
---------------------------------------------------------------------- ---- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------- ----
---------------------------------------------------------------------- ---- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------- ---- 




--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765
----------------------------------------------------------------------- --- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- --- 




--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: