Re: Hybrid IDS

[mark.teicher () networkice com]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
John,

OK, I retract my statement regarding not hearing from HiverWorld.  I know 
for a fact I left a few messages on your voicemail and did not hear back 
from either yourself or Patrick Heim.. Did speak with someone female 
regarding that you were in meetings all day..  :)  I have forwarded your 
reply to Rob, and hopefully we can coordinate the arrangement of the test 
this time, I am making no promises, since we are approaching some heavy 
deadlines.. :)

John, call me when you have time so that we can make sure the coordination 
effort happens.

/mark



At 04:29 PM 9/7/00 -0700, John S Flowers wrote:
> Mark,
>
> I've had a message into Robert Graham and cc'd other persons for the
> last 2 weeks or so.  I've sent numerous messages commenting on the
> challenge and even replied to the document entitled "jolt2" that was
> sent by Robert to myself and others.
>
> In reference to the document - http://www.robertgraham.com/op-ed/jolt2
> -- On August 24th I said, "I like what you've written (jolt2) and think
> you should publish it."
>
> I believe that the claims made by Robert Graham are so outrageous that
> there's no real need to even validate them (see the link above, if it's
> even active).  I'm sure that everyone will see this to be the case if
> this document actually makes it to the public.
>
> Otherwise, I'm more than happy to actually run a real test against your
> IDS and see if it can sustain 148,800 packets per second and provide
> alerting/counting on the attack.
>
> This was the original claim made by Robert to the crowd at Defcon and to
> the IDS list a while ago (i.e. not the single packet against an invalid
> IP address that is mentioned in this document).  This is the claim that
> I believe Robert should stick to, not the "jolt2 test" in the document
> at the link above.
>
> I've not yet received a copy of BlackICE for the purpose of this real
> world test and I haven't heard from Robert since Aug 24th (2 weeks ago).
>
> For the record -- I've been seriously busy, but I HAVE kept in touch
> with Network ICE and Robert Graham since this claim was made.  So the
> accusation that "no one has heard from Hiverworld since" is completely
> misleading.
>
> "Teicher, Mark" wrote:
> >
> > At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:
> >
> > >One place where the personall firewall / IDS hybrids present an
> > >interesting challenge to clarity is in performance marketing.
> > >Since they're operating at a packet level (sort of) an unscrupulous
> > >vendor (hi! you know who you are!) could claim their performance
> > >figures in terms of packets processed/second. So the vendor could
> > >say "in recent tests, our network IDS handled 10,000,000,000
> > >packets/second!!" without mentioning clearly that this was
> > >accomplished using a single host on a switch, but the host was
> > >only looking for attacks directed at itself... Such claims have
> > >already been made - clearly deceptive, but there you have it.
> >
> > Whoa, wait a minute here, Network ICE accepted the challenge from
> > Hiverworld at DefCon, and Network ICE was ready,  No one has heard from
> > HiverWorld since.
> >
> > Ah yes, Marketing, blame NAI, Symantec and Zonelabs for re-defining the
> > market space or in other words segmenting a very infant market space.  So
> > every vendor is attempting fit into as many market spaces as it can, in
> > order to get the largest customer base.
> >
> > >>Is there a clear cut definition out there somewhere?
> > >
> > >You're asking if marketing respects technical language? <giggle>
> > >I wish...  :(  We went through the same kind of nonsense early
> > >on in the firewall days - proxy firewalls, stateful turbo
> > >multi-whomping packet examination, etc, etc. Eventually terms
> > >settle down when the marketing folks find a set of features
> > >they can tout that don't cause people to break out in belly
> > >laughter whenever they use it.n
> >
> > I tend to agree with MJR on this space, the marketing type firms out there
> > don't really understand the space or the techie geekie stuff that some of
> > us utter to them.  The tend to grab onto the first one or two blurbs of
> > techie talk and that what they stick with.  You try to explain them the
> > different between packet grepping and protocol decode, they get all glossy
> > eyed and almost fall over from boredom.  The marketing type people layman
> > explanations that some of us can never get across to them without bursting
> > out laughing.. :)
> >
> > /mark
> >
> > >mjr.
> > >-----
> > >Marcus J. Ranum
> > >Chief Technology Officer, Network Flight Recorder, Inc.
> > >Work:                  http://www.nfr.net
> > >Personal:              http://www.ranum.com
>
> --
> John S Flowers                <jflowers () hiverworld com>
> Chief Scientist              http://www.hiverworld.com
> 510.848.0740 x 724 [Office]         510.841.2447 [Fax]