Re: Hybrid IDS

["Marcus J. Ranum" <mjr () nfr net>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Talisker wrote:
> [...] I would rather vendors attempted to follow a party line in
> product description, thereby avoiding customer confusion.  The best time to
> categorize these products is whilst they are still in an embryonic stage of
> evolution.

[Tongue firmly in cheek]

Back in the early days of firewalls, some of us tried the same
thing. I proposed a bunch of terms for various things, most of
which were adopted for about a year, then completely twisted out
of shape. See, the problem is that terminology will fall prey
to wishful thinking. For example, who would buy a "network
layer IDS" when they could buy a "stateful multi-layer packet
inspection IDS"?  By sheer word-count alone you can tell that
the latter is superior. ;)

Joking aside, the "meaninglessness of language" effect is
inevitable as vendors attempt to market what they have as
being what a customer wants. For example, let's say that I have
an IDS that does packet defragmentation, TCP state machine
tracking, packet sequence checking, and TCP reassembly based
on the above. I might say I have an IDS that does "TCP reassembly"
in order to spare you a barrage of words. Let's say there's another
guy who does packet defragmentation and _wishes_ he did all the
other stuff - he might say as well that he does "TCP reassembly"
and the customer would be none the wiser until Dug Song or Tom
Ptacek or someone _showed_ them what that meant. There are a lot
of things out there called "firewalls" that aren't a whole lot
more than filtering routers. My guess is that lots of "intrusion
detection" products in the next couple years will be firewalls
that know how to beep when someone does a port scan on them,
or something basic like that.

So, I am in agreement with you as to the necessity for purity
of language and strict adherence to technically accurate terms.
UNfortunately, I don't think that it's going to happen,
industry-wide. The people who will twist the language don't
read this list. The customers who will purchase products based
on the twisted language don't read this list. (Or they'd laugh
at the vendors marketing gobbledeygook and buy a product from
someone with integrity)  This has played itself out time and time
again in the security product arena; it's not pretty but I don't
think it's going to change.

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com