RE: CRIME IDS is dead says Gartner

From: Rosenquist, Matthew (matthew.rosenquist@private)
Date: Tue Jun 24 2003 - 14:53:58 PDT

  • Next message: Kuo, Jimmy: "RE: CRIME Deletion of saved emails that are one month old"

    I am a simpleton.  Here is my 2cent view of the world.
    
    IDS - A passive-only monitoring solution (host or network).  Requires a
    highly complex interpretation or filtering mechanism(s)
    IPS - An active monitoring/interdiction solution (host or network).
    Requires upkeep equivalent to the amount of change in the protected
    computing environment
    Firewall - A barrier which controls the flow of specified types of traffic
    (inbound/outbound). Crude but effective.
    
    Analogy: 
    Vehicle traps at ingress/egress points (Firewall) will restrict access to a
    neighborhood park to foot traffic only.  Not much upkeep is required and the
    barrier will do well to keep vehicles out.  A video camera at ingress/egress
    points provides an entirely new aspect.  New threats (unruly skateboarder
    thugs in clown outfits) and undesired activities can be identified.
    However, the camera (aside from being a deterrent) provides no actual
    intervention service.  Additionally, the camera must be well placed and
    regularly monitored to provide benefits.  A poorly placed camera or one
    which is not monitored is as worthless as a Big-Wheel, with a flat tire.  An
    IPS is like a community security officer (think policeman, guard, etc.).
    They can monitor and interdict undesired activity (nightstick across bozo's
    nose).  They are resource intensive but are capable of identifying more
    undesirable activity than the Vehicle traps and can actively interdict
    situations where a Camera alone fails.  
    
    IDS is not dead.  IPS is not dead.  Firewalls are not dead.  Nightsticks are
    not dead.  These are all tools.  There are many ways to use them in a cost
    effective manner to provide security, given different situations.
    
    Matthew Rosenquist
    
    
    -----Original Message-----
    From: Andrew Plato [mailto:aplato@private] 
    Sent: Tuesday, June 24, 2003 1:30 PM
    To: 'Crispin Cowan'; crime@private
    Subject: RE: CRIME IDS is dead says Gartner
    
    The problem with your comments, Crispin, is that you consider basic packet
    inspection to be security analysis. I disagree. Most firewalls (Checkpoint,
    pix, netscreen, etc.) are packet filters. They look at communication
    information and apply access control lists based on some rules.
    
    This is no where near synonymous with an IPS which looks beyond the packet
    and analyzes the entire communication stream. Proxy-based firewalls
    (Sidewinder/Gauntlet and some variants) go part of the way there. They do
    application-layer rules. But the classic packet filter firewalls do not have
    that kind of ability. 
    
    I see firewalls as essentially an access control point. To use an airport
    security analogy: firewalls control who gets on the plane and that's all.
    They don't look to see if the person is carrying a bomb. And IPS does both
    access control and looks in the person's luggage to see if there is any
    bombs in there. 
    
    Consider the extremely basic problem of things like Code Red. Firewalls
    couldn't stop code red at all, unless port 80 was blocked. But since that
    would have killed the web sites of many companies - that wasn't really an
    option. Therefore, the firewall did nothing to prevent code red. But a
    host-IPS or network-IPS could have seen code red in the stream and dropped
    the offending packets and kept web access open. 
    
    > How about we stop trying to classify them and just call them *all* 
    > firewalls? Then we can just compare firewalls head to head on 
    > features, performance, operational costs, security, etc.
    
    Then we're comparing CheckPoints to IntruVerts, Netscreens to RealSecure
    Guards - and that is a crummy comparison because they really are not the
    same types of products. An IntruVert is not anywhere near the same as a
    CheckPoint. A comparison between the two would be misleading. It would make
    CheckPoint look lame and Intruvert look outlandishly priced. 
    
    As for your quadrants. You define anything that does merely access control
    as prevention. I disagree. Access control does not mean bad stuff can't get
    in. Merely blocking some communications at the perimeter does not make a
    network secure.  I would redefine your quadrants as hexants (is that a
    word):
    
    * Network
    	o Access control:
    		+ classic firewalls: Checkpoint, Netscreen, 
           	  PIX, etc.
    		+ Router/VLAN ACLs
    	o Prevention:
    		+ NIPS: inline SNORT, IntruVert, ISS Guard,
    		  TopLayer Attack Mitigator, etc.
    		+ Application firewalls: Sidewinder, WatchGuard (sort of)
    	o Detection:
    		+ IDS: RealSecure, Snort/Sourcefire, ManHunt, etc.
    * Host
    	o Access control:
    		+ ACLs, token authentication, locks, passwords, etc. 
    	o Prevention:
    		+ Behavior HIPS: Okena, Entercept
    		+ Signature HIPS: RS Desktop/Server, Sygate
    		+ Secure OS: Immunix, a Windows box with no power ;-), etc.
    	o Detection:
    		+ Integrity monitors: Tripwire, etc.
    
    And I would say best practices would be to try to have something at every
    level.  
    
    ___________________________________ 
    Andrew Plato, CISSP 
    President / Principal Consultant 
    Anitian Corporation 
     
    Enterprise Security & 
    Infrastructure Solutions 
      
    503-644-5656 Office 
    503-644-8574 Fax 
    503-201-0821 Mobile 
    www.anitian.com 
    ___________________________________ 
      
    
    > -----Original Message-----
    > From: Crispin Cowan [mailto:crispin@private] 
    > Sent: Tuesday, June 24, 2003 12:36 PM
    > To: aplato@private
    > Cc: 'Justin Kurynny'; crime@private
    > Subject: Re: CRIME IDS is dead says Gartner
    > 
    > 
    > Andrew Plato wrote:
    > 
    > >I have actually been working on a white paper that aims to 
    > define the 
    > >difference between IPS, IDS, and firewall. The paper is obviously 
    > >biased, since I am basing it on my experience and expertise, but 
    > >essentially my core definitions are:
    > >
    > A little feedback :)
    > 
    > >IPSs:
    > >
    > There are both *host* and *network* IPS's, and they are different 
    > beasties. What you describe here is mostly NIPS.
    > 
    > >- Perform some kind of analysis of communications and/or system 
    > >behavior to identify dangerous or potentially dangerous activity or 
    > >access.
    > >
    > Just like firewalls.
    



    This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 15:15:42 PDT