okay. i read it. it doesn't change my opinion. IDS is likely soon to be dead. prevention systems (such as firewalls, IPS, access lists, whatever) are likely not. but in the larger scheme, what's the functional (useful) difference between IPS and firewalls? if Gartner is talking about IDPS as something more akin to IDS, then from their point of view they may be correct about IDPS products that don't effectively or comprehensively prevent attacks. on the other hand, IPSes that are effective attack prevention devices may be further along the spectrum near the firewall's functionality, in which case Gartner is contradicting itself. furthermore, the differences between an IPS and a firewall become more unclear. so again, clarify the differences between IDS and IPS and base a discussion on the agreed differences instead of basing it on what Gartner casually mentions. justin justin kurynny manager of network engineering waggener edstrom, inc. * -----Original Message----- From: tlmacgi@private [mailto:tlmacgi@private] Sent: Tuesday, June 24, 2003 10:58 AM To: crime@private >> Read Gartner's report http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9 05961,00.html "Justin Kurynny" <justink@private> To: "Andrew Plato" <aplato@private>, crime@private Sent by: cc: owner-crime@private Subject: RE: CRIME IDS is dead says Gartner u 06/24/2003 10:53 AM |-------------------| | [ ] Secure E-mail | |-------------------| (Embedded image moved to file: pic02237.pcx) i haven't read the article, but i'll make a general comment anyway. there is a difference between IDS and IPS. if Gartner is only talking about IDS, i agree with the hypothesis that IDS is likely to go extinct. however, IPS apparently has value because it's actually doing something to actively fend off the attack in real time. [anyone feel free to jump in here if this statement exaggerates reality.] i know this list has been through the IDS pro/con discussion already, so we don't need to re-hash it, but i think we should clarify the differences between IDS and IPS. justin justin kurynny manager of network engineering waggener edstrom, inc. * -----Original Message----- From: Andrew Plato [mailto:aplato@private] Sent: Monday, June 23, 2003 6:35 PM To: crime@private Some of you have probably seen this. Its been all over the news and elsewhere. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=1 0300918 ------------ EXCERPT from article Intrusion-detection systems-software that attempts to spot and report attacks against information systems-will no longer be a defense in the information security pro's arsenal by 2005. That's the prediction coming out of research firm Gartner. "IDS as a security technology is going to disappear," says Richard Stiennon, a Gartner research director. Stiennon contends that organizations are going to so successfully harden their internal systems that the "burglar-alarm" service intrusion-detection systems provide will no longer be necessary. "Imagine a world where there are no intrusions," he says ------------ This is another example of some of the mis-information that is getting out there about IDS/IPS technologies. Hardening systems and using IPS are a great way to stop attacks. But without some kind of monitoring, you simply cannot be sure. This is like removing the camera from a bank because the bank buys a really nice vault and puts great locks on the front doors. While I would like to imagine a world where there are no intrusions, I don't think that world is coming any time soon. However, I am certain, that without monitoring, you'd never know if there WAS an intrusion. Hence, there is a certain absurdist logic here: "We have no IDS, our systems work, so we must be safe." Riiiiight. Personally, I think Gartner's report is more a product of poor IDS implementation and management. In the rush to get an IDS, many organizations do not take the time or effort to properly integrate, tune, and manage the system. As such, the system produces a ton alerts, which quickly get ignored. Also, IPS has a place and I am a big advocate for it, the idea that IDS will disappear is absurd. Any decent "defense in depth" strategy must consider multiple points of monitoring and response. IDS is merely one piece of the puzzle. A valuable piece (when its used properly.) Anyway, Anitian published a response on our web site: http://www.anitian.com/corp/papers/Gartner%20Response.pdf Curious to hear other reactions. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ ======================================================================== === IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 11:35:17 PDT