funsec mailing list archives

RE: so, is I[dp]S a STUPID technology?

From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Tue, 11 Oct 2005 16:53:21 -0400

I would have to agree with Paul Schmehl...

Ok, let's start with the statement that Ridgely Evers
makes and Richard Stiennon seconds along with Aviram Jenik:

 "IDS - that has got to be one of the stupidest 
  technology ideas of all time."

I don't know who Aviram Jenik is and I don't know
about his background, so it's a bit hard to make
a proper judgment. However, let's look at who Ridgely Evers
and Richard Stiennon are. Do they really know what they
are talking about? Are they really qualified to make
a statement like that? I claim that they are not. They
are business types that deal with the security technology
at a very high level without true understand of its capabilities
and limitations. There's a good chance they don't really understand
what IDS technology is for. That's where Aviram joins these
two guys as well when he says,
'I heard Richard say on more than one occasion "IDS is dead", 
 and almost hugged him for it.'

The phrase "IDS is dead" was popularized by the Gartner Group
when the IPS technology started to emerge. That statement
is really WRONG to begin with because the IPS technology 
is NOT A REPLACEMENT for the IDS technology. The goal of
the IDS technology is to collect as much forensics information
as possible... before, during, and after malicious/unauthorized
activity takes place while the IPS technology is suppose to
block malicious/unauthorized activity once it's detected.

Anyways, going back to the main statement about IDS...
saying that the IDS technology is one of the stupidest
technology ideas of all time is plain silly just because
it's not %100 effective. Nothing (and I repeat... NOTHING)
in this world is %100 effective. Just because one technology
is not %100 effective doesn't mean it's useless or stupid.

Paul Schmehl said it perfectly... "*No* technology can solve 
*every* problem". That also applies not only to technology,
but to any kind of solution that deals with any kind of problem.

Let's imagine two worlds where in one IDS/IPS technologies exists
and another where they don't. If you had to choose one of those
worlds which one would you choose?

As somebody who deals with IPS technology I also want to comment
on the following statement made by Aviram:

'don't talk to me about IPS, please. Most of the IPS's 
 are just IDS with blocking capabilities which means 
 no one ever puts them in 'blocking' mode by default. 
 The rest are usually so sophisticated their "AI" 
 engines can't even stop an nmap connect scan.'

It shows that Aviram doesn't much about the IPS
technology and what it's for and how to use it.
There's no technology that you just
turn on and it works perfectly. Different tools
are used for different tasks. These tools often
need to be properly configured for specific environments.
What's bad in one environment might be normal traffic in another
environment. The flexibility some of those systems
provide is necessary because each environment is different
and unfortunately this technology still needs smart people
to configure it and operate it. 

I'm not saying that all IPS products are perfect. They are
not, but they are still useful tools. 

The statement, "Most of the IPS's 
                are just IDS with blocking capabilities which means 
                no one ever puts them in 'blocking' mode by default",
is simply not true. It's definitely not based on real world statistics.
While it's true that pretty much most IPS products that use
signature technology or even protocol misuse technology do have
rules that are sometimes disabled or set to detect, the majority
of the IPS rules are usually turned on. It is true that it's
common to deploy IPS products in bypass/detect mode initially,
but it's only the initial phase used to fine tune the system.

The point I was trying to make is that... nothing is simple
and there's no perfect solution for most of the problems
in this world including security. However, the existence of tools
that help in one way or another is definitely better than
having nothing at all...

Kyle


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: so, is I[dp]S a STUPID technology?, (continued)
- - - RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 11)
    - RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
  - Re: so, is I[dp]S a STUPID technology? Florian Weimer (Oct 12)
    - Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
    - Re: so, is I[dp]S a STUPID technology? Valdis . Kletnieks (Oct 12)
    - Re: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 12)
    - RE: so, is I[dp]S a STUPID technology? Aditya Deshmukh (Oct 12)
    - RE: so, is I[dp]S a STUPID technology? Barrie Dempster (Oct 13)
    - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 13)
    - RE: so, is I[dp]S a STUPID technology? Paul Schmehl (Oct 13)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - lalala [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
    - Re: lalala [was: Re: so, is I[dp]S a STUPID technology?] Valdis . Kletnieks (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
  - IPS as anti ddos???? [was: Re: so, is I[dp]S a STUPID technology?] Gadi Evron (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Kyle Quest (Oct 11)
  - Re: so, is I[dp]S a STUPID technology? Roland Dobbins (Oct 11)
- RE: so, is I[dp]S a STUPID technology? Young, Keith (Oct 11)

(Thread continues...)