Re: Hybrid IDS

[John S Flowers <jflowers () hiverworld com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Mark,

I've had a message into Robert Graham and cc'd other persons for the
last 2 weeks or so.  I've sent numerous messages commenting on the
challenge and even replied to the document entitled "jolt2" that was
sent by Robert to myself and others.

In reference to the document - http://www.robertgraham.com/op-ed/jolt2
-- On August 24th I said, "I like what you've written (jolt2) and think
you should publish it."

I believe that the claims made by Robert Graham are so outrageous that
there's no real need to even validate them (see the link above, if it's
even active).  I'm sure that everyone will see this to be the case if
this document actually makes it to the public.

Otherwise, I'm more than happy to actually run a real test against your
IDS and see if it can sustain 148,800 packets per second and provide
alerting/counting on the attack.

This was the original claim made by Robert to the crowd at Defcon and to
the IDS list a while ago (i.e. not the single packet against an invalid
IP address that is mentioned in this document).  This is the claim that
I believe Robert should stick to, not the "jolt2 test" in the document
at the link above.

I've not yet received a copy of BlackICE for the purpose of this real
world test and I haven't heard from Robert since Aug 24th (2 weeks ago).

For the record -- I've been seriously busy, but I HAVE kept in touch
with Network ICE and Robert Graham since this claim was made.  So the
accusation that "no one has heard from Hiverworld since" is completely
misleading.

"Teicher, Mark" wrote:
> At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:
>
> > One place where the personall firewall / IDS hybrids present an
> > interesting challenge to clarity is in performance marketing.
> > Since they're operating at a packet level (sort of) an unscrupulous
> > vendor (hi! you know who you are!) could claim their performance
> > figures in terms of packets processed/second. So the vendor could
> > say "in recent tests, our network IDS handled 10,000,000,000
> > packets/second!!" without mentioning clearly that this was
> > accomplished using a single host on a switch, but the host was
> > only looking for attacks directed at itself... Such claims have
> > already been made - clearly deceptive, but there you have it.
>
> Whoa, wait a minute here, Network ICE accepted the challenge from
> Hiverworld at DefCon, and Network ICE was ready,  No one has heard from
> HiverWorld since.
>
> Ah yes, Marketing, blame NAI, Symantec and Zonelabs for re-defining the
> market space or in other words segmenting a very infant market space.  So
> every vendor is attempting fit into as many market spaces as it can, in
> order to get the largest customer base.
>
> > > Is there a clear cut definition out there somewhere?
> >
> > You're asking if marketing respects technical language? <giggle>
> > I wish...  :(  We went through the same kind of nonsense early
> > on in the firewall days - proxy firewalls, stateful turbo
> > multi-whomping packet examination, etc, etc. Eventually terms
> > settle down when the marketing folks find a set of features
> > they can tout that don't cause people to break out in belly
> > laughter whenever they use it.n
>
> I tend to agree with MJR on this space, the marketing type firms out there
> don't really understand the space or the techie geekie stuff that some of
> us utter to them.  The tend to grab onto the first one or two blurbs of
> techie talk and that what they stick with.  You try to explain them the
> different between packet grepping and protocol decode, they get all glossy
> eyed and almost fall over from boredom.  The marketing type people layman
> explanations that some of us can never get across to them without bursting
> out laughing.. :)
>
> /mark
>
> > mjr.
> > -----
> > Marcus J. Ranum
> > Chief Technology Officer, Network Flight Recorder, Inc.
> > Work:                  http://www.nfr.net
> > Personal:              http://www.ranum.com

-- 
John S Flowers                <jflowers () hiverworld com>
Chief Scientist              http://www.hiverworld.com
510.848.0740 x 724 [Office]         510.841.2447 [Fax]