Hi Andrew and all,

Andrew Plato wrote:
> This shut him up, for a while, but it highlighted a growing trend I am
> noticing. It seems like there are a lot of people with an agenda right
> now to shoot down the value of IPS/IDS technologies. IPS in particular
> seems to be painted as a "marketing ploy." I also hear the story "they
> bought and IDS and it just sat in a rack and did nothing" a lot
> (usually from people who don't even know what an IDS does.)
Well, it seems to be like this: If you buy a firewall, you buy
a definite plus in security. Even if you have to open it for
some more ports than you would like, each blocked packet
is a plus of security. If you install an IDS, you have nothing.
You have a system that gathers huge amounts of information.
This information has to be evaluated and so on, so the system
does not add to your security in the first place, but it
generates additional workload.

It is even worse: The system does not make people feel
better (like a firewall), but it may show you all the
dangers coming from the net and the vulnerability of
you own network. So a big part of this is simple
psychology.

> What is happening here? Anybody have any idea why there is a growing
> "anti-IDS" attitude. Is it the failure of IDS to produce value in an
> organization? Is the Gartner "IDS is dead" report having THAT much
> affect on the industry? Are the IDS vendors victims of their own
> over-marketing? Am I a paranoid moron?

It is like so many trends in IT-business. First it get's
hyped with big promises, then people are disappointed, because
their high expectations are not met and they realize that
thinks are expensive. This always happens in the security
business, because people try to actively sell new technologies
as wonderful products. In reality, security products are
only costly, but they are necessary to insure that the
other business of companies can be continued. Like the
PKI-stuff in the last years: It is costly, it takes
time, it is necessary for secure communication.

But we may learn something from watching PKI in the last
years: After all the marketing companies declared PKI
to be a NO-word, it just comes into wide-spread use:
People realize that they need secure communication and
learn that PKI is not a wonder, but some quite normal
technique, that is useful, costly and necessary.

This is my view of IDS in the near future: IDS has
to be improved step by step. Eg. reduce the number of
false positives, generate more specific alerts according
not only to attacks used but also to the configuration
of the attacked system (who cares about an MS cmd32.exe
access on a linux apache webserver?). More dynamic
evaluation of monitored (but new and unknown) things
will be incorporated (honeycomb is one of the projects
in this direction). And in a few years IDS will be a
common network security technique. It may as well be
that IDS will be sold as managed services to companies
(because small and medium entities will not have the
necessary knowledge at hand). But the acceptance of
IDS will slowly grow...

Just my 2 cents...

Olaf

--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Consultant, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og (at) pre-secure (dot) de [email concealed]

------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
------------------------------------------------------------------------
---

[ reply ]