Re: How to choose an IDS/FW MSS provider

["David W. Goodrum" <dgoodrum () nfr com>]

I don't think there's a whole lot of research spent by any IPS vendor on 
creating a good subseven decoder.  It's so old and easy to detect, 
there's little need.  Protocol decoding becomes important when you're 
talking about a legitimate protocol (not subseven, which is a horrible 
example).  Decoding HTTP 1.0/1.1, SMTP, FTP, IRC, etc, becomes extremely 
important in catching zero day attacks.  

You second statement about ease of querying data baffles me a bit.  I 
don't think any of the vendors, that we consider to be competition, make 
anybody write details SQL statements to get to the data.  If you're 
using the product(s) as intended, most vendors will provide a warm fuzzy 
GUI so that you can quickly data mine whatever data you have.  i.e. 
"show me everything against port 80 from 10.0.0.0/20  in the last 2 
weeks"  should be a simple point and click routine.  If it's not, you're 
either using the wrong product, or using the product incorrectly.  NFR 
uses a postgreSQL database at the backend... but our clients aren't 
required to know anything about how to configure postgreSQL.  I believe 
ISS uses MS SQL, but I doubt they make you understand the intricacies of 
that database either.   This type of logic is probably true for most 
real IPS players in the market today.

-dave

Mark Teicher wrote:

> Again, most people compare IDS/IPS vendor for the number of signatures they have in the product and the ability to add 
> them on their own.  Great stuff, interesting, but some IDS/IPS vendors do more than just pattern matching.  This reply 
> is to re-ignite the argument between pattern matching and protocol decodes.  But how many
> SubSeven signatures does one really need?  If I observe a SubSeven attack, it is nice to see the granularity, but the difference in the pattern 
> is very little, essentially it is a SubSeven attack, whether it is real or not, that is for the person to determine, etc.  Whether or not a IDS 
> vendor provides the ability to add signatures is irrelevant, some products have the ability to detect unknowns before there is an update to the 
> product.  Some customers get the warm and fuzzies when they can see "CODE RED" or "SASSER" in their reports, but that 
> doesn't improve the product any better.  What really is needed in most of the products out there, is the ability to query data without 
> learning the ins and outs of SQL queries or futzing with Oracle Client to extract the data that is meaningful.
>
>  
>
> -----Original Message-----
> From: "David W. Goodrum" <dgoodrum () nfr com>
> Sent: Mar 12, 2005 8:54 AM
> To: Jeff Boggie <jeff.boggie () comcast net>
> Cc: "'Brady, Rick'" <Rick.Brady () LibertyMutual com>, 
> 	"'Melih Kirkgöz (Koç.net)'" <melihk () koc net>, 
> 	'Stephane' <stephane.d () ecologie net>, focus-ids () securityfocus com
> Subject: Re: How to choose an IDS/FW MSS provider
>
> I think it's interesting how this is an unwinnable argument for any 
> vendor.  At NFR our signatures are openly readable by our customers, but 
> we've heard the exact opposite argument of what you are presenting 
> here:  "A potential hacker can read how the signatures work, and use 
> that information to try to evade the IDS".  So, if we appeased them, 
> we'd close our signature base, and then we'd be hearing it from the 
> other side of the house.  This is a no-win situation for the vendor.  
> We've tried to appease both sides by not having our sigs "publicly" 
> available, but all a really determined hacker has to do is buy our 
> product to read the signatures. 
>
> So, before you ask ISS to release their codebase for their signature 
> set, you might want to think about what the full consequences of that 
> would be.  Snort has had 2 or 3 remote exploits.  The only reason this 
> was possible is because their entire product is totally open to the 
> world.  I doubt ISS wants to open themselves up to that type of 
> publicity.  :)
>
> -dave
>
> Jeff Boggie wrote:
>
>  
>
> > No, the lack of visibility into ISS signature content is a major bone of
> > contention in my shop.
> >
> > -----Original Message-----
> > From: Brady, Rick [mailto:Rick.Brady () LibertyMutual com] 
> > Sent: Wednesday, March 09, 2005 5:08 PM
> > To: Melih Kirkgöz (Koç.net); Stephane; focus-ids () securityfocus com
> > Subject: RE: How to choose an IDS/FW MSS provider
> >
> >
> > Melih,
> > I guess you must be special to ISS, from my experience the support has been
> > sub-par. Also do you like the idea that ISS IDS signatures are not known to
> > the customer and only ISS ? 
> >
> > Rick Brady
> > Liberty Mutual Group
> > I/S TSSS Engineering Network Access Control
> > mailto:rick.brady () libertymutual com
> > (603) 245-4214   8-435-4214sdn 
> >
> > -----Original Message-----
> > From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net] 
> > Sent: Tuesday, March 08, 2005 2:22 AM
> > To: Stephane; focus-ids () securityfocus com
> > Subject: RE: How to choose an IDS/FW MSS provider
> > Importance: High
> >
> > Hello Stephane,
> >
> > We have been using ISS since last two years.(50 Server Sensor,15 Network
> > Sensor,1 Proventia G 100 IPS),managed by SiteProtector. We tested
> > Netscreen,ISS,Radware,NAI Intrushield and Checkpoint during our evaluation
> > period for intrusion detection/prevention systems. Strong level of expertise
> > and good technical support was one of the big reasons choosing ISS.
> >
> >
> > -----Original Message-----
> > From: Stephane [mailto:stephane.d () ecologie net] 
> > Sent: Monday, March 07, 2005 12:42 PM
> > To: focus-ids () securityfocus com
> > Subject: How to choose an IDS/FW MSS provider
> >
> > Dear All,
> >
> > How do I choose an IDS/IPS provider if I need a strong level of expertise
> > 24x7x365 and a worldwide representaion? I need it on Netscreen, PIX,
> > CheckPoint and ISS Realsecure and Proventia.
> >
> > Thank you,
> >
> > S.
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from CORE
> > IMPACT. Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > -------------------------------------------------------------------------- 
> > ____________________________________________________________________________
> > _________________________________________________________________ 
> > Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger
> > bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir sekilde
> > kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta
> > mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj
> > kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac
> > icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta
> > mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak
> > yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol
> > ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek
> > zararlardan dogacak hicbir sorumlulugu kabul etmez.  
> > This message is intended solely for the use of the individual or entity to
> > whom it is addressed , and may contain confidential  information. If you are
> > not the intended recipient of this message or you receive this mail in
> > error, you should refrain from making any use of the contents and from
> > opening any attachment. In that case, please notify the sender immediately
> > and return the message to the sender, then, delete and destroy all copies.
> > This e-mail message, can not be copied, published or sold for any reason.
> > This e-mail message has been swept by anti-virus systems for the presence of
> > computer viruses. In doing so, however,  sender  cannot warrant that virus
> > or other forms of data corruption may not be present and do not take any
> > responsibility in any occurrence. 
> > ____________________________________________________________________________
> > _________________________________________________________________ 
> >
> >
> >
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from 
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> > to learn more.
> > --------------------------------------------------------------------------
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from 
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> > to learn more.
> > --------------------------------------------------------------------------
> >
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from 
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> > to learn more.
> > --------------------------------------------------------------------------
> >
> >
> >
> >    
>
>  

--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------