RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

[FinAckSyn <finacksyn () yahoo co uk>]

Since when has an inline IDS become an IPS, or am I
missing something?
IDS vendors are really confusing the market by using
IPS terminology.
An inline IDS does partially fulfil the definition of
an IPS, by using signatures to protect against known
exploits, but what about all the other stuff an IPS
does, like:
 
1. Anomaly detection / protocol validation
2. DOS protection
3. Stateful firewall
 
An IPS is a xth generation firewall, and not a 2nd
generation IDS.  An IDS only solves part of the
problem that a network IPS is trying to address.
I know this is all marketing speak, but it's confusing
the technical community here, and decent IPS products
are being thrown into the same bin as inline-IDS
'IPSes' and being discarded as stillborn technology,
when they're clearly not.
My company suffered severe downtime having deployed an
inline-IDS, that was touted to provide zero-day
protection against the worm that got straight through
it.  The Security Manager lost his job for putting his
complete faith in a market-leading IDS vendor who told
him that their latest and greatest solution would
defend against such things.
We have since re-evaluated our security
infrastructure, and put things in their correct
places.  The IDS is on the inside, in passive mode,
whereas the IPS is outside the firewall, ensuring the
entire network is protected.
Although it's OK to put an IDS inline, don't expect it
to offer 100% protection, and at least compliment the
IDS with dedicated upstream IPS technology.
 
Matthew
--- "Gary Halleen (ghalleen)" <ghalleen () cisco com>
wrote:

> The IDS-4250, with 5.0 or later code on it, will
> function as either an
> IDS, or an IPS, or both.
>
> Multiple Cisco 4200-series sensors can be clustered
> through etherchannel
> load-balancing to scale throughput, as well as
> provide failure
> protection, if your needs change.  This is available
> both in passive
> mode (IDS) and inline modes (IPS). 
>
> Gary
>
>
> -----Original Message-----
> From: Tim Holman [mailto:tim_holman () hotmail com] 
> Sent: Thursday, October 13, 2005 4:32 AM
> To: Jonathan Gauntt; focus-ids () securityfocus com
> Subject: Re: Cisco IDS 4250 vs Sourcefire IS3000 +
> RNA Sensor
>
> Hi Jonathan,
>
> Wouldn't you rather block bad traffic, rather than
> detect it?
> Most companies are moving away from IDS as a
> protection mechanism,
> because:
>
> 1)  It only detects, and doesn't effectively block
> intrusions
> 2)  Problems with false positives, as by using
> pattern matching
> signatures, there is always a chance that these
> patterns also appear in
> valid traffic
> 3)  Management overheads.  An IDS can only be a
> reasonably effective
> prevention method if there is someone on hand 24/7
> to monitor logs and
> take immediate action on intrusions.  Even then ,
> the intrusion has got
> in, as admins very rarely use the active blocking
> features of an IDS
> (namely sending RST packets to kill connections, or
> modifying upstream
> ACLs), as these are too likely to have an effect on
> valid traffic
> 4)  There is absolutely no protection for rate-based
> attacks (SYN, TCP,
> UDP
> floods)
> 5)  Without maintaining a L3/4 connection/state
> table, there is no way
> an IDS can be truly stateful.  100% statefulness
> means that everything
> from the initial SYN to the final RST/FIN packet of
> a connection is
> stored in a connection table.  This requires the
> device to be INLINE,
> and operating at L3.  This is the only way a
> protection device can
> provide effective defence against L3 attacks.  An
> offline IDS cannot do
> this.
>
> I would recommend looking at IPS products instead,
> so something that you
> can postion inline and get immediate value from.
> If you feel the Cisco IDS is getting a little tired,
> then an IPS will
> also help take the load off it, by getting rid of
> Internet white noise,
> providing additional firewall filtering, and also
> defence against
> rate-based attacks.
> A true IPS will focus on defining what is GOOD
> traffic, and assuming all
> else is BAD (and dropping it).  By doing this,
> zero-day attacks can be
> virtually be eliminated, as they all ultimately rely
> on abuse of a valid
> protocol in the hope of slipping past your
> protection mechanisms and
> onto your network.
> This works quite well in conjucntion with an IDS,
> that focuses on
> searching traffic for badness.
> Replacing like for like (IDS for IDS) is not going
> to give you much
> value, and even the market analysts are recommending
> against it.
> IDS isn't dead.  Far off it, but use it for what
> it's good for -
> DETECTION and FORENSICS, and not as a device that
> can insure your
> network against rate-based and zero-day attacks.
>
> Regards,
>
> Tim
>
>
>
> ----- Original Message -----
> From: "Jonathan Gauntt" <jon0966 () yahoo com>
> To: <focus-ids () securityfocus com>
> Sent: Wednesday, October 12, 2005 5:57 PM
> Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA
> Sensor
>
>
> > Hi,
> >
> > We are currently running a Cisco IDS 4250 that
> monitors our internal
> > traffic.  We essentially use this device for
> historical reporting
> because 
> > we
> > are a medical oriented facility with at least 100
> 3rd party
> connections to
> > us besides the 8000 employees.
> >
> > I am considering upgrading the Cisco IDS 4250 to
> the XL to handle
> higher
> > throughput but have been evaluating the Sourcefire
> IS300 and their RNA
> > sensor.
> >
> > I have the ability to purchase the Sourcefire unit
> or upgrade the
> 4250.
> > Sourcefire claims that they are superior with
> state full IDS
> inspection 
> > and
> > an overall better product.
> >
> > Does anyone have any thoughts on these two
> products?  I have about
> $100k 
> > in
> > my budget to spend.
> >
> > Thanks,
> >
> >
> > Jonathan
------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
------------------------------------------------------------------------
> >
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>



        
        
                
___________________________________________________________ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------