[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Gartner declares IDS obsolete by 2005

Sometimes I think reading these "Crystal Ball" reports is like listening to
statistics .... The writer can make it mean anything they want to.  Yes, of
course IDS systems are going to fade out ... as least as far as being the
sole method of protection beyond the firewall.  Protection-in-depth (despite
it's buzz-word status) is now ... and most likely will continue to be ...
the best way to provide the layered approach that is necessary to protecting
our users.

There have already been several other replies to Aji's question and they all
agree that a merging of Firewalls and IDS/IPS will be the wave of the
future.  Though I am of the same thought - someone is going to have to do a
LOT of convincing for me to believe it will be done by 2005.  ISS's
SiteProtector system with the Fusion Module, Security Scanner, and Host IDS
products comes as close as any to eliminating the bulk of the false
positives and I STILL would NEVER think of letting the final analysis
automatically send blocking commands to my firewall.  There are still too
many "false positives" that occur.  I cannot even imagine the immense amount
of labor it will take to incorporate and "tune" these all-in-wunders on a
large complex business network.

I think many would agree that past the hacks that involve taking advantage
of well-known vulnerabilites - the worst danger consists of user-installed
backdoors and trojans.  Whether via ignorance because they just didn't know
better, foolishness because were aware of good policy but chose to ignore
it, or downright insider hacking... the worst security problems still occur
due to a breach from the inside of the network.  Until a product can be
spread right down to the desktop at a reasonable cost this will continue to
be a nightmare :  Nobody is there yet.

Opening a can of worms ... P2P applications are the foulest of the growing
risks.  The vendors of these applications are complaining that we are
blaming too many of our problems on their products ... They're right we
are - because it's true!  As long as these programmers continue to write
code INTENDED to subvert our firewalls I will continue to wage battle to
block and make it as difficult to use these apps as is humanly possible.

End of Speil.

Henry P. Schupp

a comment on "false positives".  My interpretation and that of any IDS
vendor must BY NATURE differ.  To them as long as an IIS signature saw the
"../.." pattern and triggered - it was therefore a "true positive":
regardless of whether the target was an IIS server, an Apache Server, a Mac
IPOD, or a users desktop.  The IDS saw the "../.." pattern so it triggered
... "true" ... right?  My analysis has to take the other factors into
consideration.  So if in any of my correspondence I label something as a
"False Positive" that a vendor would want to say "Wait just a cotton-pickin'
minute!" in order to correct my thinking ... Please know that I do
UNDERSTAND their definition - I just don't agree with it all (most) of the
time.  hps

-----Original Message-----
From: issforum-admin@xxxxxxx [mailto:issforum-admin@xxxxxxx]On Behalf Of
Aji Abraham
Sent: Tuesday, June 17, 2003 8:21 AM
To: ISSForum@xxxxxxx
Subject: [ISSForum] Gartner declares IDS obsolete by 2005


I would like to have ISS Forum member's  commend on this.


Best Regards

Aji Abraham

ISSForum mailing list


ISSForum mailing list

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo