Re: IDS vs Application Proxy Firewal & OT list bouncing

["Arian J. Evans" <arian.evans () anachronic com>]

Good points, inline:

On Fri, Oct 24, 2008 at 3:02 PM, alfredhuger () winterhope com
<alfredhuger () winterhope com> wrote:
> Arian,
>
> > Anyway, that said, the behavioral realm
> > is begging to be explored more. I'm surprised
> > none of the vendors have touched it. It
> > seems so promising.
>
> They have, the problem is in finding market applicability.

Yes, but I have seen little to no progress in the mainstream
WAF vendors. And to be fair: they have much more
immediate problems to solve right now with their
current approaches.

But market viability has already been proven.

In fact there was one success in the behavioral "WAF/IDS"
arena few in the security community are aware of. A
product called "Business Signatures" executed quite
well in this problem domain -- though ostensibly not
for the purpose of being a WAF -- and was acquired
by Entrust a few years ago. They had some large
and very happy clients I worked with:

http://www.networkworld.com/news/2006/071906-entrust.html

They took a behavioral learning approach, and
had excellent functionality that could be leveraged
for security after a fashion. I am unsure how Entrust
has/will execute with this technology....but they
must also have seen the promise here to move it
from a webapp business-rules flow-enablement tool
to spin it in a security-focused direction.


> > ps -- unsure if this will make the list. Security
> > Focus has randomly blocked me from some
> > lists but not others, and I have been unable
> > to get the SF list-server admins to respond
> > to email about this for almost TWO YEARS
> > now for some reason.
>
> For a guy who is obviously quite intelligent I'm surprised you've not
> sorted this one out yet. Your posts are certainly well thought out and
> you clearly understand your space well. The gating factor for you ( or
> more precisely, your posts)  is that you litter your posts with
> frenetic vitriol. In an otherwise fantastic post you make two cheap
> (albeit possibly true) shots at vendors in the app firewall/ids space
> and then follow up with a coup de grace at the site your posting
> through. All of this and your surprised your posts fail and the
> moderators ignore you?

<OT>

I would understand if moderation were the problem. My
messages get rejected by the server configs on less than
half the SF lists (which the moderators do not control).
I've had moderators trying to get my posts involved in
dialogue on those lists and are unable to do so because
of what appears to be the SF list-server admins.

I have contributed quite productively to the SF list
community for many years, but at this point I've
kind of thrown up my hands. After two years you
probably would too Alfred.

I have a guess at the technical problem. I know
what changed on my end when the issue started.
A simple reply on whether or not SF is willing to
accept certain mail header configs would suffice.

nota bene: I only take shots at vendors with vitrol
if I can support my statements with facts and real-
world examples, and I have written the vendor off
in a given problem-domain. In most cases it is
intended for comic relief (mine) and it is up to the
reader to chose to appreciate that or not.

The vendors are competing for the dollars of folks
reading this list and since it is hard to find competent,
qualified information on emerging technologies
(or really any since the IT Product Review industry
is dead since print media died) this is a great
medium place for punchy statements.

I am aware of and certianly respect SF's business
case for advertising revenue that would lead them
not to encourage advertiser denigration or emotional
flame wars devoid of fact. But that's not the issue here.

I am pretty sure it is a simple server config issue
that is a 5 minute discussion. I like others who
have been impacted by this have simply taken
our dialogue elsewhere, which is why the list
traffic has died off on some lists I suspect.

As for my opinions on vendors, well....

I have been wrong before.

By contributing my opinions to the public forum
I ask that you put them under your protection,
and allow I may be wrong, YMMV, and I might
need to change my opinion in the future.

In turn I will both always support the right of
anyone in this public dialogue to do the same,
and back up my claims as needed with
reasonable matters of fact and existence,

-- 
-- 
Arian J. Evans.
Solipsistic Software Security Sophist

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------