I really am enjoying all the vendor commotion, but the issues being
discussed here are pretty straightforward. What I am hearing from the
independent IDS vendors is frustration at lack of resources and confusion
over which marketing strategy to deploy.
By my count there are about 17 IDS vendors at the moment, out of which
there are 5-6 I would actually consider using. ISS and NetRanger are the
old kids on the block, and are running into problems for exactly that
reason. Some of the technology has exchanged hands, some of the original
developers are long gone, but mostly there havent been any drastic
improvements to the IDS engines (though ISS has move forward with the
interface and the network/host hybrid idea, which I like quite a bit). NAI
has cybercop, but is not marketing it actively after changing direction
several times, and finally ending up with a little used host based product
which sports mysterious Sniffer intergraton (how does that work anyway?).
Ruling out the above vendors (and you should if you want to do serious
intrusion detection other than just get pointless alarms) you are left
with a handful of independents. They usually have much better performance
and IDS logic because they came late in the game, but mostly because the
development is being led by bright people with a clear understanding of
technology (this may actually hurt them in other areas of course).
NFR/Dragon/BlackIce are pretty much the only way to go if you want to do
serious forensics and intrusuon detection, but get ready for a long roll
out and quite a few management problems.
NFR has been around for quite a long time, but suffers from bad
perception. Everyone I know thinks the research version is what NFR
offers, and still perceives it as a developers toolkit (the good folks at
Enron Broadband security division did, and they are very much a
professonal security bunch). We gave version 4.0 a whirl, and while I like
the direction they took with the interface, the alarms are out of control
and there is not a way determine which ones of them are false positives.
The interface just doesnt deliver enough information to be of any use, so
I think its pretty clear that interface design is not trivial by any
means. I did try to get a 4.1 copy to check out all the improvements, but
the sales person who contacted me originally wont return my mail. Definite
problem with lack of resources, not technology.
I did not try BlackICE, but again a questionable marketing decision. The
Defender product is huge in the personal security market space, and the
product now suffers from major identity problems. The branding name did
not make a clear enough distinction between the versions, so most people I
come in contact with do not even know BlackICE has an enterprise platform.
Whats more, is that by visiting the product site its not entirely clear
how the products differ and you eventually get lost in the name
variations, which do not mean much (Dragon has the same problem, but its
getting better). Again, good technology, odd marketing and push into a
niche market that backfired a bit.
We are pretty close to settling on Dragon (thank you Greg). With the new
version the web interface has gotten quite useful, but the product still
requires someone with quite a bit of security experience to effectively
use. It has by far the best analysis engine I have seen yet, and an
amazing amount of analysis capability, which the bit heads at the office
went wild over. I think the entire network staff spent the entire weekend
roaming the address space and analyzing great data. Problem is that this
is good analysis, but not much in terms of alerting and response. We do
not mind spending the necessary effort on classifying the alerts and
building our own detection policy (in fact we prefer it). We also like the
flexibility of the product and ability to make it swing to any direction
we are pleased, but this is a far cry from an average IT shop. Even we
have trouble coming up with personnel that has enough security experience
to understand what the alerts mean, so we have to work out logistical
issues of monitoring events and analyzing events. People who understand
networj security well have trouble staring at alarm monitors all hours of
the day, so we have to come to a solution.
This all comes down to frustration by vendors with good technology on
their inability to penetrate the plug and play IDS market. Why should an
average nework administrator, or even a person with a good amount of
Windows security, spend money on a product that produces events they
cannot understand? In an ideal world, IDS would be a field of dedicated
professionals with a deep understanding of network security, but those
people are few and far between.
One solution for the independent IDS vendors to strategically push their
products into markets with enough expertise to roll them out in the
field. ISP's, managed security providers and edu's have enough resources
to effectively deploy NFR or Dragon. An all Windows shop simply does not,
even if you make an appliance that lacks an effective interface.
More realistically, this market is ripe for mergers. Dragon with NAI or
BlackICE (a host offering would be really nice). NFR and ODS? Cisco and
everyone on the market?
Misha
On Sat, 4 Mar 2000, Robert Graham wrote:
> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner_at_uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> ---------------------------------------------------------------------------
> ---
> --- Jackie Chan <blue0ne_at_igloo.org> wrote:
> > Robert,
> > You give the impression that Realsecure wont even alert you to
> > what is going on when an attacker (Why must we still call them hackers
> > when we know this is wrong) uses fragrouter. The truth is that
> > RealSecure WILL alert that Fragmented packets are going through, from
> > what source, and to what destination. It is true that it will not tell
> > you specifically what the attack was, but lets not confuse users into
> > beliving that they will have no idea as to what is happening. Oh and by
> > the way, I dont work for a vendor, so my opinion is totally unbiased.
>
> This is my point: RealSecure does very little protocol analysis. It doesn't
> truely understand the protocols going through the box, but instead just looks
> for a few patterns in the frames.
>
> It can see that packets are fragmented, but it doesn't know why. It doesn't
> really know why anything happens. Packets are fragmented for other reasons.
> This leads to the problem of false positives. I've heard over and over that
> RealSecure collapses under the load of false positives. I've even had customers
> call us worrying that BlackICE wasn't working because they plugged in our box
> next to RealSecure and it was going off like mad, but BlackICE wasn't
> triggering anything. This was because there was no intrusion to detect. As soon
> as they started doing test intrusions, BlackICE caught them.
>
> In contrast, BlackICE does full 7-layer stateful protocol analysis. When it
> triggers an alert, it does so from a fairly complete understanding of the
> protocol operations. There are still false positives, but dramatically fewer.
>
> My point is, and I'm sure that RealSecure is a toy. It isn't a serious IDS like
> Dragon/NFR/BlackICE. It is certainly polished UI and has lots of marketing
> behind it, but it isn't very sophisticated. But which would you rather have: a
> polished UI on a system that doesn't detect intrusions well, or a system that
> catches hackers?
>
> Rob.
> Network ICE
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
Received on Mar 05 2000
Intro
