Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to choose an IDS/FW MSS provider

from [Adam Powers] Network Security [Permanent Link]
Subject: Re: How to choose an IDS/FW MSS provider
Date: Sat, 12 Mar 2005 08:15:08 -0500 

On 3/11/05 10:14 AM, "David W. Goodrum" <dgoodrum@nfr.com> wrote:




What looks good with ISS, MSS Dept is that you have somehow the
X-Force support http://xfoce.iss.net ; as far as I know and tell me if
I am wrong, ISS is the only security provider having an R&D dept which
is the X-Force team.


If you mean that ISS is the only company doing R&D I'd have to disagree,
plenty of other competent vendors out there are doing R&D.


Yeah but having lived in Atlanta and worked around a bunch of these guys for
years, I can tell you that there aren't many other companies in the world
(if any) with the same amount of budget and talent assigned to security R&D.
Gotta give props were props is due.





Also, my question was about how to choose an IDS *AND* FW firewall. I
know I am a bit out of the topic of this mailing-list but you can be
good at IDS and maybe bad at firewalls which are much more complex
through.


Many IDS vendors are integrating Firewalls into their product, just like
Firewall vendors are trying to catch up on the Layer 7 analysis.  Both
types of technologies are coming tgether to some degree.  We've actually
embedded pf (freebsd's firewall) into our product now.  The difference
really will be WHERE you want to deploy and what your requirements are.
For example, most companies with IPS products (such as ISS, NFR, etc),
are generally implemented in a "bridging" mode.  i.e. even though they
are doing firewalling, they are still invisible to the network and don't
require changes to the network architecture to implement them.  Bridging
firewalls are probably not what you want on the perimeter, and so you
should look to a more traditional firewall.   Traditional firewalls are
not invisible, meaning they can do more traditional firewall roles
including NAT, routing, and other fun stuff.  The downside there is that
they are also exposed to attack.


Just cause your in L2 mode doesn't make you immune to attack
(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump). The box still
has to process packets just like any other L3 app. I'm not sure how bridge
mode makes a box "invisible". Besides, the device still needs an IP on the
local network for management. Sounds like security through obscurity to me.

With the obvious success of IPS technologies at the perimeter, I find it
hard to believe that IPS and FW technologies will remain disparate
technologies for more than a few more years. The IPS vendors need to do one
of two things:

1. Find a good firewall vendor to acquire them or
2. Build a full featured firewall from scratch.



What I'm getting at is that Defense in Depth still applies, even though
these two technologies seem to be coming together rather quickly.  If
you deploy a true routing firewall on your perimeter, you should protect
it with an invisible IPS product (there have been plenty of cases of
routing firewalls being compromised).  Internally, when you create your
quarantine areas, most organizations don't require advanced firewalling
features such as NAT and routing.  In those cases, it might be a good
fit for a bridging firewall (like today's IPS vendors).

Does anybody care about best of breed anymore?


This is probably not going to be well received on this particular list but I
think it holds true... Talking to Chris Hovis the other day, he mentioned
that what (most) customers want is "good enough security". This means that
as long as the technology works and the problem gets solved, the technology
is "good enough". Are all those neato-gizmos that the best-of-breed vendors
provide valuable? Sure, but at the end of the day customers want to pay
"just enough" to solve the problem.





PS: and once again, ISS is in the gane for 10 long years. What about
the competitors?


NFR was founded in 1996 and still chugging away.  ;)


Thanks,

Stephane




--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------





-- 

Adam  Powers
Director of Technology
Lancope, Inc.
c. 678.725.1028
f. 770.225.6501
e. apowers@lancope.com

StealthWatch by Lancope - Security Through Network Intelligence?



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to choose an IDS/FW MSS provider, fuijdancer
Next by Date:  Re: How to choose an IDS/FW MSS provider, David W. Goodrum
Previous by Thread:  RE: How to choose an IDS/FW MSS provider, Stuart Staniford
Next by Thread:  Re: How to choose an IDS/FW MSS provider, David W. Goodrum
Indexes:  [Date] [Thread] [Top] [All Lists]