Snort mailing list archives
Re: Re: [Snort-devel] IDS vs IPS
From: Jeff Nathan <jeff () snort org>
Date: Sat, 30 Aug 2003 18:08:44 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,In 2003 commercially ready has come to mean that a product contains an acceptable number of flaws. There are a few analysts out there who I have faith in (Greg Shipley to name one), but by and large let's not give analysts too much credit. There are plenty of security product companies whose products are designed by marketing organizations whose members have neither worked in operational security nor attempted to penetrate a system.
Yes, Brian Reid and the others credited with inventing the firewall at DEC WRL did an impressive job at the time. Just as the IDS efforts at SRI and LLNL in the 1980s were impressive. It's now 2003 and time doesn't stand still.
Hartmeier's PF *IS* good firewall code. Were we to compare the quality of the underlying code it's as good or better than the work at WRL. Were we to compare its features to those the WRL firewall it's no contest; the level of completeness is an order of magnitude higher. http://www.benzedrine.cx/pf.html (this site appears to be down at the moment).
IPS is a made up term. It's nonexistent. It's marketing voodoo. It's nondescript and just like other forms of language that have permeated the English language as a result of political correctness and the haphazard nature of people working in marketing organizations to pull buzzwords out of thin air, it reduces the specificity of the topic at hand.
IPS might describe any number of concepts. After all, what does intrusion prevention REALLY mean? Are we talking about preventing execution of CPU instructions? Preventing network data containing malicious data from being allowed to reach an end host? Obviously the marketing folks are going to try to spin this in dozens of ways but I'm not ready to let them have their way when it comes to destroying the specificity of language.
As it relates to computer networks, IPS would have to be gateway intrusion detection (aka in-line intrusion detection). Indeed, if a firewall vendor thinks they're moving into this space I'd love to hear about their design and implementation. Also, if a company is moving into this space exclusively I'd love to hear about their technology.
As each security company tries to get their hand in the proverbial cookie jar we're going to see more and more products touting their IPS features. Taken literally, they might be right. However, this lack of linguistic specificity moves the state of security back several years rather than propel it forward. Much like NIDS vendors played the game of counting how many signatures they had before CVE was created, every security company is going to tout their IPS features until a common definition is agreed upon.
I'll put my stock in industry analysts such as the folks over at Gartner when they stop producing research reports whose data was gathered by making phone calls to company executives rather than empirical analysis. That's right, folks. That much touted Gartner report was exposed not all that long ago when they were questioned directly about the source of their information. As the story goes, they admitted (in a room full of people) to having simply made phone calls.
I look forward to my beer. :) Take care, - -Jeff On Saturday, August 30, 2003, at 05:43 PM, Mark Teicher wrote:
Jeff, Rather impressive does not mean it is commercial ready.Commercial Ready means it meets or exceeds he criteria of the definition of the Industry Analysts and can be reviewed by the people who do those rather large network type bake-offs of products and barely understand how the technology works except click "Setup.exe" and pray the Installshield doesn't barf on their system which most likely doesn't meet the vendors stated minimum requirements. How about db's?? How many of the IPS vendors require MSSQL as their databse of choice?? If the IPS vendors require MS SQL as their database backend, that means the IPS management console can't handle an enterprise type organization without having massive horsepower and some sort of distributed console management technology underlying it. How many of the industry reviewers actually review that type of scenario.. ??I might not even have to take off my shoes to count. Oh better yet, let me get out my abacus..[/standing on soapbox]Back to my original ranting, GOOD firewall code hasn't been produced in years..In fact, if someone could dig up Wei Xu, Peter Churchill or Brian Reid.. I am sure they could tell you stories about GOOD firewall code, proxy code and the crud they had to put up with.You know there are still Digital Equipment Corporation Firewalls in place at a major bank in NY/NJ area.. (DECSeal at least 20 of them by my last count).. the technology is 10 years old, and no one has broken into them.. Go figure that one out.. no IDS, no IPS.. Actually in fact, I can also name a few other companies that still have Gauntlet firewalls in place..Was it GOOD firewall code, who knows, but the fact remains, IPS technology is still in its infancy, while Firewalls have been around for almost 15 years, and IDS technology, although not fully matured over 5 years. IPS is less than 30 months old, and everyone single marketing person expels "IPS is the future, firewalls and IDS are dead" OK, marketing people, speak up and tell us who the pure IPS vendors are, not firewall and IDS vendors trying to re-define their space and get some marketing mojo going..I even cc;ed a marketing person on the list so that they can respond to the hype and defend themselves in this little thread.. C'mon give us the marketing hype and story.. Anyone else from other vendors marketing department listening/reading.. ??[/slipping off soapbox...]argghhhh, I have fallen underneath the IPS hype and need call the nearest IPS marketing person to get up...P.S. Does this mean I am back to my full lunancy of ranting and raving, not quite sure, but it is fun to be alive again.. Jeff N and Gary C, I owe you two a beer../cheers /mark At 06:02 PM 8/30/2003, Jeff Nathan wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark, not entirely true. Dan Hartmeier's packet filter is rather impressive. - -Jeff
- -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/UUqkEqr8+Gkj0/0RAn/sAKCWCa6tyPlQHJM7JPb4V83wKuJdpQCeIMy8 7GW4yRWGtMPlf07BO9Lc6HY= =lQmh -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Re: [Snort-devel] IDS vs IPS, (continued)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Jeff (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Sep 01)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
- Re: Re: [Snort-devel] IDS vs IPS Gary Flynn (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Georges J. Jahchan, Eng. (Aug 29)
- Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)