Re: Re : Market Segmentation of IDS

[mark.teicher () networkice com]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Actually this exactly the point I was trying to make, is that no one really 
knows what or how to categorize the IDS market.
It appears that lots of different people especially marketing folks have 
varying ways of describing the IDS market and what products fits into what 
category, that way they can IDC, etc can charges lots of money putting 
together these revenue type charts and say company a has x% of market share 
and company b has y% of market share out of a total market cap of Z.

The problem is that the meaning of what a firewall and an IDS type product 
actually does has sort of merged.
so therefore Intrusion detection is important for the following:

Firewalls do not monitor authorized users' actions; once in, anything goes
Firewalls control perimeter access and therefore do not address internal 
threats
Firewalls must guarantee some degree of access, which may allow for 
vulnerability probing
Firewall policies may lag behind environment changes, which leaves room for 
possible entry and attack
Firewalls do not operate at speeds conducive to intranet deployment

The use of encryption and VPNs offers a formidable vehicle to protect and 
transport sensitive application data. Encryption teams with public or 
private key authentication offer the user, sender and receiver 
non-repudiation, reliability and integrity of the application data. 
However, only the application data and the transport mechanism are secured 
from unauthorized eyes. All other traffic remains open, unprotected and 
unmonitored, including user actions.

Public Key Infrastructure (PKI) serves as a framework for the management 
and processing of digital signatures using public and private key 
cryptography to secure data. PKI-enabled applications can deter malicious 
actions. However, current adoption of PKI-based solutions remains in the 
early adopter stage because:  PKI standards are still evolving, such as the 
heterogeneous certificate system inter-operability.  There are too few 
applications utilizing certificates.

The goal of intrusion detection is to identify in real time unauthorized 
use, misuse and abuse of computer systems by both internal network users 
and external attackers.

An IDS attack signature or policy consists of any pattern that constitutes 
exploiting a known security defect or executing a corporate security 
violation. These patterns are then monitored within the network data or on 
a host. The level of sophistication of attack identification ranges from 
single violations, events over time that comprise a violation, and 
sequential actions that comprise a violation.

Intrusion detection is a challenging task because of the proliferation of 
network connectivity, heterogeneous computer environments, various 
communication protocols and an assortment of popular and proprietary 
applications. The combination of network and host-based IDS provides 
significant attack protection and policy enforcement for any size company 
and business function.

Network IDS utilizes traffic analysis to compare session data against a 
known database of popular operating systems and application attack 
signatures or packet recognition. On detection, the network IDS can react 
by logging the session, alerting the administrator, terminating the session 
and even hardening a firewall.

So therefore Intrusion Detection systems will soon be integrated with some 
of the personal firewall vendors or enterprise firewall vendors  to 
automatically reconfigure security policies or rules when the IDS system 
detects an attack that could labeled malicious (AI) without the need for 
manual reconfiguration or immediate termination of attacks,logging of 
suspicious behavior, configurable administrative alerts or initiation of 
user-defined scripts or executables .  It is very clear that the IDS market 
segment will slowly intergrate itself with the Firewall market segment 
since the combination of IDS and firewall will allow the administrators to 
focus on serious threats at the Enterprise level. For both an IDS and 
security architecture to be effective, these security policies must include 
a broad range of security services that govern access to network resources, 
while protecting these same resources from both internal and external 
threats.  Ensure the privacy and integrity of communications over 
untrusted, public networks like the Internet
Detect network attacks and misuse in real time and respond automatically to 
defeat an attack.  Deliver detailed logging and accounting information on 
all communication attempts

At 02:12 PM 9/19/00 +0200, Mark Renfer wrote:

> I don't think Personal Firewalls should be seen as IDS products
> since their main purpose is not intrusion detection. But honey pots
> definitely are an IDS category as outlined in the IDS FAQ. (see
> mailing list header) So let me add the product listing of this cat.:
>
> Honey Pots:
> Fred Cohen's Deception Toolkit (www.all.net/dtk)
> Netsec SPECTER (www.specter.com)
> NAI CyperCop Sting (www.nai.com)