Re: tippingpoint]

[Geoff <gpoer () arizona edu>]

Ok had to respond to this one :)

> IPS right now is too dangerous to implement. No one in their right mind would
> risk the network outages caused by vulnerable IPSes.

Their are plenty of companies running IPS and running it successfully.
Implementation of an IPS requires that you only implement signatures that have a
VERY low rate of false positive or traffic that you just flat out don't care if
it gets dropped. For example: In our testing we dropped ICMP stacheldraht Agent
to Server Hello packets. It is a very easy sig to spot. the word
"skillz" inside an ICMP echo reply packet. Rarely are we going to see that one
in the wild with Business critical traffic. We also dropped ICMP Welchia
packets, they consist of an echo request with 64 A's. A well known false
positive for that signature is the Yahoo keep alive packets for Instant
Messenger. We made the decision that we simply do not care about that traffic.

While I will agree that the Gartner group needs to reevaluate their system for
recommendations concerning technology. (don't just ask your customers, try
asking some well established experts) That doesn't mean that IPS is the next
coming of the anti-christ either (martha steward being the 1st).

Geoff



Marc Quibell wrote:
> What about it? Who cares what Gartner says? They have no idea what they're
> talking about, and the clown who wrote that artcle was discredited by IDS pros,
> when he was forced to confront them. He says IDS is dead because it was useless
> (too many false alerts [bullcrap, we don't have any], not Gigabit capable
> [another lie]), not because HIDS was better. Security in layers, this is what
> it's all about. HIDS is good too. But HIDS don't make IDS dead! He's in his
> Ivory tower being paid to discredit IDS. Do you really think these people who
> write these criticizms actually use the product? NO! He also said IDS was not an
> auditing tool, but was shot down on that issue too, because it is.
>
> Policy Auditing is what it's used for as well, "How many of our users are using
> Kazaa?" -or- "Look at all of our users compromising our network by using
> GotoMyPc!"
>
> What's really cool is using Crystal Reports with the Snort database..YEAH! Do
> THAT with IPS!
>
> IPS right now is too dangerous to implement. No one in their right mind would
> risk the network outages caused by vulnerable IPSes.
>
> Cheese
>
> Marc
>
>
> Message: 11
> Subject: RE: [Snort-users] tippingpoint
> Date: Thu, 16 Oct 2003 10:34:16 -0400
> From: "Rich Stryker" <rstryker () virtuallearning net>
> To: <snort-users () lists sourceforge net>
>
> Here is a report by the Gartner Group. It says IDS has been a complete =
> failure and the host based IDS systems are the way to go until the new =
> generation firewalls come out.
>
> http://techrepublic.com.com/5100-6298-5078279.html
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> SourceForge.net hosts over 70,000 Open Source Projects.
> See the people who have HELPED US provide better services:
> Click here: http://sourceforge.net/supporters.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users