IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

From: Jason <security () brvenik com>
Date: Fri, 14 Oct 2005 13:48:08 -0400
Tim,

You are relentless in your messaging and I fear you fail to get the
differences between the two technologies and applicability after all
this time.

What is the challenge with understanding that both Cisco and Sourcefire
have inline solutions. Sourcefire can even go inline or passive at the
click of a button so I fail to see where your IPS line is headed.
Curious, can the Attack Mitigator operate passively or inline?

Tim Holman wrote:

Hi Jonathan,

Wouldn't you rather block bad traffic, rather than detect it?
Most companies are moving away from IDS as a protection mechanism, because:

1)  It only detects, and doesn't effectively block intrusions


It is intended to Detect and this is a very important function. This is
especially important when your firewall and IPS fails to do the
blocking. Lets not confuse the technologies.


2)  Problems with false positives, as by using pattern matching
signatures, there is always a chance that these patterns also appear in
valid traffic


This has been covered in depth here on list, with you, and others many
times. Nothing about an IPS ensures there are no false positives. These
false positives are far worse with an IPS as well since they then block
valid traffic. If you are not running them in blocking mode then why
have them?


3)  Management overheads.  An IDS can only be a reasonably effective
prevention method if there is someone on hand 24/7 to monitor logs and
take immediate action on intrusions.  Even then , the intrusion has got
in, as admins very rarely use the active blocking features of an IDS
(namely sending RST packets to kill connections, or modifying upstream
ACLs), as these are too likely to have an effect on valid traffic


This is exactly why technology like RNA is important. Solutions like the
Toplayer product have no situational awareness, are not capable of
making decisions on what they see in the context of the business they
are operating and have no capability for escalating things when it does
get bad. A point solution like Attack Mitigator completely misses the
problem.


4)  There is absolutely no protection for rate-based attacks (SYN, TCP,
UDP floods)


There should be no _protection_ in a _detection_ device. Rate based DoS
detection is archaic and should be easily handled by any number of
routing and firewalling technologies. At the end of the day the
challenge is one of resources and not technology. Someone with the
capability to shoot 45,000 SYN's a sec will win of you only have a T1.


5)  Without maintaining a L3/4 connection/state table, there is no way
an IDS can be truly stateful.  100% statefulness means that everything
from the initial SYN to the final RST/FIN packet of a connection is
stored in a connection table.  This requires the device to be INLINE,
and operating at L3.  This is the only way a protection device can
provide effective defence against L3 attacks.  An offline IDS cannot do
this.


If you have an IDS that cannot maintain these state tables then you
really need to think harder. That you believe that only a L3 device
inline can handle this challenge is interesting. Why not L2? What about
operating at any layer above L3? Why does it have to be inline to
maintain full state? If the implication is that passively you cannot
_know_ that you have all the relevant data I will simply point you back
to the many tests that show you can if you size things appropriately.
IPS is not the end all solution you routinely position it to be and I
would appreciate not having to look at your flawed marketing over and
over again.



I would recommend looking at IPS products instead, so something that you
can postion inline and get immediate value from.
If you feel the Cisco IDS is getting a little tired, then an IPS will
also help take the load off it, by getting rid of Internet white noise,
providing additional firewall filtering, and also defence against
rate-based attacks.


Jonathan,

Please look at the historical threads on this exact topic. google
focus-ids tim holman toplayer

http://www.google.com/search?q=focus-ids+tim+holman+toplayer

I am sure it will save all of us the time of having to recant it yet again.


A true IPS will focus on defining what is GOOD traffic, and assuming all
else is BAD (and dropping it).  By doing this, zero-day attacks can be
virtually be eliminated, as they all ultimately rely on abuse of a valid
protocol in the hope of slipping past your protection mechanisms and
onto your network.
This works quite well in conjucntion with an IDS, that focuses on
searching traffic for badness.
Replacing like for like (IDS for IDS) is not going to give you much
value, and even the market analysts are recommending against it.
IDS isn't dead.  Far off it, but use it for what it's good for -
DETECTION and FORENSICS, and not as a device that can insure your
network against rate-based and zero-day attacks.

Regards,

Tim



Yes, I do work for one of the vendors mentioned.




----- Original Message ----- From: "Jonathan Gauntt" <jon0966 () yahoo com>
To: <focus-ids () securityfocus com>
Sent: Wednesday, October 12, 2005 5:57 PM
Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor



Hi,

We are currently running a Cisco IDS 4250 that monitors our internal
traffic.  We essentially use this device for historical reporting
because we
are a medical oriented facility with at least 100 3rd party
connections to
us besides the 8000 employees.

I am considering upgrading the Cisco IDS 4250 to the XL to handle higher
throughput but have been evaluating the Sourcefire IS300 and their RNA
sensor.

I have the ability to purchase the Sourcefire unit or upgrade the 4250.

Sourcefire claims that they are superior with state full IDS
inspection and
an overall better product.

Does anyone have any thoughts on these two products?  I have about
$100k in
my budget to spend.

Thanks,


Jonathan



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: