RE: IDS vs. IPS deployment feedback

["Andrew Plato" <andrew.plato () anitian com>]

As I said to Alan: we all sell what we know. 

I sell what I know. You sell what you know. Commercial, open source,
closed, open, lost, found, black, white - whatever. Organizations should
pick the best solution for their environment. 

That much said, I realize it is pretty much high treason to speak badly
of an open source product on the Internet. I have angered the Gods of
Open Source before. This time is no different. 

An unanalyzed IDS/IPS isn't very useful. That is the core problem.
Without analytical capability, the value and effectiveness of any
security product is reduced. 

Many organizations have scant IT resources. As such, any technology that
has significant resource requirements is usually passed over for those
that can simplify security while extending the capability of a small IT
staff. Nobody is arguing the technical merits of Snort, but its an
established fact that it tends to be more resource intensive than its
commercial partners. This is true of all open source products. They tend
to be more "raw." 

That is why there are COMMERCIAL companies, like yours Eric and like
SourceFire that have made Snort more palatable to enterprises. In this
sense, you are no different than 3com, McAfee, ISS, etc. You're simply
making a technology easier to use.  

Eric, you and Alan are no different than me. You're just hawking a
different product. Doesn't matter if the sensor is Snort or Proventia.
You sell what you know, I sell what I know. 

Furthermore, the "I can see a signature so its better" argument just
doesn't fly at a lot of businesses. Again, most IT people do not have
the time to analyze and write signatures. Just as companies outsource
their PC manufacturing, phone centers, and Internet connection - they
outsource their security protections. They trust a commercial vendor to
handle this problem. I can't see that the jet fuel Delta puts in a
plane, but I trust Delta to use real jet fuel. So, I can trust Delta
with my life, but I can't trust ISS or McAfee to write a IPS signature? 

Yeah. Whatever. 

If you feel better seeing the signatures and their content, then by all
means - get thee to a Snort box. But, for many IT groups, this just
isn't a significant selling point. Ease of use, timeliness of new
signatures and reliability are typically more important factors. 

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security



-----Original Message-----
From: Eric Hines [mailto:eric.hines () appliedwatch com] 
Sent: Monday, April 10, 2006 3:13 PM
To: Alan Shimel
Cc: Andrew Plato; 'Will Metcalf'; focus-ids () securityfocus com; Applied
Watch Development; sales () appliedwatch com
Subject: Re: IDS vs. IPS deployment feedback

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree with Alan here.

Andrew, I've watched several of your posts now over the past months and
on several occasions bit my tongue, but I do have to step up here. You
represent several COTS (Commercial off-the-shelf) IPS vendors and have
admitted to, so please be careful when posturing them against open
source tools such as Snort -- know what you're talking about when it
comes to Snort's capabilities if you are going to make claims as to what
its unable to do when compared to COTS solutions.
_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------