Re: Changes in IDS Companies?

[Martin Roesch <roesch () sourcefire com>]

Don't get me wrong, I'm not saying it's not a good idea, it's an 
excellent idea.  My point is that the marketing hype that's coming out 
of the IPS vendors at this point is overblown in my opinion and I 
haven't seen much cautionary introspection applied to the concept yet, 
so I thought I'd chime in.  The deployed base of network intrusion 
prevention systems in production environments today is very small.   
While the concept has a lot of merit, it's unproven as yet and there 
are significant technical hurdles (robustness, capability, etc) as well 
as a raft of political hurdles that have not been addressed in any sort 
of empirical manner yet with a deployed base of happy users.

Sourcefire *is* working on IPS too, both with things like in-line mode 
operation and firewall interoperability through mechanisms like OPSEC.  
I've seen a lot of people advocating the widespread replacement of IDS 
with IPS in the last couple months and I think that it's way too early 
to make that leap.  If people are going to go so far as to advocate the 
removal of a layer of network security infrastructure that's finally 
reaching a level of maturity they should take the next step and 
advocate the removal of the firewall too.  IPS technology has to mature 
and prove its worth before we can take those steps, the failure modes 
are still relatively unknown as are the applicability of the solution 
to all networks.

We're approaching the problem from a couple directions, through the 
integration of an in-line mode into the open source version of Snort as 
well as on our systems.  That doesn't mean those same problems won't 
apply to us, they will.  My goal with the last message was to raise 
awareness that these things aren't silver bullets and to shine a little 
light on the hype is spinning around this concept right now.  Make no 
mistake, Sourcefire will market it's products when they're ready as 
well, I'm merely speaking as a technologist who's been doing this for a 
while.

Do you think there's a conflict of interest here?  Am I not allowed to 
have reservations about the technology even though I work on it?  A lot 
of people would debate the value of having the firewall reconfigured by 
a NIDS, but people (like me) who work for companies that have features 
like that as requirements for the market they serve have to work within 
the market reality even though they may have reservations about the 
value of the technology itself.  Would you say that the technology is 
completely, absolutely ready for prime time in your opinion as an 
evaluator of the *engineering* pros and cons of such a technology?  Can 
you speak to those?  I notice you guys at Latis use Snort as your 
supported IDS technology, how does your integrated solution fare when 
Snort has gone into self-preservation mode due to its memory cap being 
hit in its stateful inspection subsystems?  How about in the same 
situation for the IP defragmentation subsystem?  Does it dynamically 
reallocate the memcap based on the available free memory on the system 
or does it thrash?  We had to get to *extremely* high loads in our test 
lab traffic generators (~1M concurrent sessions) on our gigabit product 
before we saw the degenerate thrashing situation Snort would descend 
into when the memory caps were hit.  How are you guys handling that?

I say it's not 100% ready for prime time because it hasn't been 
deployed widely enough to have any sort of empirical evidence that it 
is and in my opinion as an *engineer* the case still has to be made.  
Once there are a few thousand NIPSes out there saving the bacon of 
large enterprises and that can be documented, I'll be a lot more 
impressed.  When Sourcefire finally releases a solution it'll be the 
best technology that we can come up with (given all the usual 
constraints) and hopefully it'll be ready for prime time, but we'll 
need to see successful deployments of it before I'm going to convert to 
being an IPS advocate.

     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

On Wednesday, October 16, 2002, at 06:48 PM, Alan Shimel wrote:

> Marty
>
> I appreciate your thoughts on IPS, but can you tell us here that
> Sourcefire itself is not working on IPS technology with several 
> firewall
> companies?  I have heard they are and that they see this as vital to
> their plans. Will IPS be ready for prime time when your company is 
> ready
> to put it out in the market and not before?
>
> alan
>
> Alan Shimel, VP Sales & Business Development
> Latis Networks,  ashimel () latis com
> Ph. 303 642-4515  Cell 516 857-7409
>
>  The information transmitted is intended only for the person or entity
> to which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch () sourcefire com]
> Sent: Wednesday, October 16, 2002 3:47 PM
> To: Avi Chesla
> Cc: focus-ids () securityfocus com; 'Samuel Cure'
> Subject: Re: Changes in IDS Companies?
>
> Network intrusion prevention systems are also relatively untested and
> still first generation.  The Hogwash wrapper for Snort (and the in-line
> mode being rolled into Snort) are both good technologies and intrusion
> prevention in general is a good idea, but the distance between "good
> idea" and a concept that's ready for larger market acceptance is a
> pretty wide gap.
>
> One of the things that's been bothering me about the rush to build and
> deploy Network Intrusion Prevention Systems (NIPS) lately is the
> complete lack of discussion about the downsides of such technologies.
> My consternation falls into a couple categories that deal with the
> failure modes of NIPS and the political issues associated with
> deploying this kind of technology.
>
> Most NIPS are built on the concepts pioneered by intrusion detection
> systems, protocol anomaly detection, signature-based analysis and
> traffic anomaly detection (port scans, etc).  Intrusion detection
> techniques are pretty well known for their applicability to specific
> problem areas, signature-based detection doesn't pick up attacks it
> doesn't know about, anomaly-based detection can't pick up signature
> based events (/cgi-bin/phf) very effectively.  The melding of these
> techniques is critical to providing good coverage from the perspective
> of a sensor designer, which is why Snort does signature and protocol
> anomaly detection (and several other tricks).  The problem is that *no*
> technology is capable of picking up every possible attack, a mix of
> technologies is often the best way to go to provide effective coverage
> of the security picture on a given network.
>
> With this in mind, the basic question becomes "how do we know if our
> NIPS misses an attack?"  If the NIPS misses an attack,  we better have
> a pretty good NIDS/HIDS in place to let us know what happened.
>
> How about failure modes of the technology itself?  It's been shown
> repeatedly in tests that NIDS technology can be notoriously unstable in
> a number of scenarios, what happens if that instability is translated
> to an in-line device?  We're either going to have a fail closed
> scenario (protected network is DoS'd)  or a fail open scenario in which
> the protected network becomes unprotected, possibly for a protracted
> period of time.  In the first scenario the failure mode will make
> itself apparent very rapidly, but in the second a NIDS/HIDS is going to
> be required to record and inform the security/admin staff about the
> problem as well as attacks during the lapse.
>
> There's also the political battle of deploying another in-line
> technology in the network, etc. that will be fought anytime one of
> these is deployed, although I  think that fight will happen in the
> enterprise and not in the mid-tier market.
>
> I'm an advocate of a layered solution.  Firewalls, NIDS/HIDS,
> authentication, crypto, etc. all continue to have their places on the
> network.  I think that host-based IPS will see quicker acceptance in
> the market than NIPS due to the lower "price of deployment/failure"
> associated with the host-based technologies, they're more like AV
> systems in their positioning as an end-host oriented security
> mechanism.  I think that there will definitely be convergence of the
> firewall and the NIDS, but I think it's early to declare these systems
> as the next generation, the political battle will have to be fought and
> the operational limitations of the technologies will have to be found
> before the final place of IPS in the network security "ecosystem" will
> be known.
>
>       -Marty
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roesch () sourcefire com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
> On Tuesday, October 15, 2002, at 04:45 AM, Avi Chesla wrote:
>
> > I totally agree with you. Next generation IDS  ,also being called
> > Intrusion
> > Prevention Systems or Perimeter Security devices are the next step in
> > the
> > evolution of the Traditional Intrusion Detection Systems. Vendors such
>
> > as
> > Intruvert, Tipping point ,  Vsecure Technologies , Lancope, Forescout
> ,
> > TopLayer (Mitigator) etc, are example of some.
> > All these vendors claim to have an Intrusion Prevention Systems which
> > usually has some kinds of Adaptive capabilities, they do behavioral
> and
> > protocol analysis and do not based on attack signature (most of them)
> > , they
> > sit in-line (most of them), they mitigate attack without be depended
> in
> > other products to do the blocking...
> >
> > Best Regards,
> >
> > Avi Chesla
> > Director of Research
> > Vsecure Technoliges, Inc.
> > www.v-secure.com
> >
> > -----Original Message-----
> > From: Samuel Cure [mailto:scure () netpierce net]
> > Sent: Monday, October 14, 2002 10:54 PM
> > To: focus-ids () securityfocus com
> > Subject: Changes in IDS Companies?
> >
> >
> > Just noticing some changes with some known IDS companies and wanted
> > some
> > feedback from the community. Because Marcus Ranum left NFR earlier
> > this year
> > and Ron Gula has left Enterasys Networks, I am questioning the future
> > of
> > some early-on IDS companies. I mentioned some time ago that the IDS
> > market
> > will eventually consolidate and it seems like things are moving in
> that
> > direction.
> >
> >
> > To further enforce my point, word on the street is TippingPoint is now
> > seeking for someone to buy them out. Does anyone else have anything
> > that
> > could help validate this or these types of trends in IDS companies?
> >
> >
> >
> > Thanks in advance!
> >
> > -------------------
> > Samuel J. Cure
> > Security Specialist
> > NetPierce Security Services
> > www.netpierce.net
> > -------------------