[Author Prev][Author Next][Thread Prev][Thread Next]
[Author Index (this month)][Thread Index (this month)][Top of Archive]

Re: Security followup

Subject: Re: Security followup
From: Decker Wong-Godfrey <dfgodfrey -at- milmanco -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Mon, 20 Jan 2003 11:35:18 -0800



Isn't "Automated Intrusion Protection" just an Internet Security
Systems buzzword for dynamic firewall configuration?

No. Not at all. Intrusion Prevention Technologies (IPS) are a growing area of
security. IPS are in-line IDS and firewall combinations. There are also
host-based versions. These systems have their own firewall and as such can
respond to events. If somebody tries to send a buffer overflow attack, like
Code Red, these systems can block the intruder and drop the offending packets.

What you're thinking of is session sniping (RST packets) or OPSEC config. Both
of which are very unreliable methods of blocking intruders mainly because of
the tremendous latency involved.


And what is the difference between an "in-line IDS and firewall combination" and Snort/IPChains, PF, IPFilter, or any of the other firewalls that Snort will dynamically configure? Neither you or ISS has shown anything inherently different about the two (other than the marketing).



Have you ever actually supported a Snort system in a real environment?

Yes. It works quite well.

I mean an enterprise environment, seeing millions of TCP sessions along with gigabytes
of UDP traffic? I have. Its not easy. It takes a lot of custom configuration
work and documentation.

And when I say I have - I mean my company has. I sent out contractors who are
skilled Linux people.

Gee, I wish you'd qualified your last post with all this information. So, really, unless you're an enterprise level customer, you don't need to customize Snort. Almost everyone can benefit from it.

How many enterprise-level customers do you have that want a drop-in solution to their problems? They know that it's worth the time and money to get what they want. The thing to think about here isn't that the customization had to be done, but that it could be done at all; ISS won't provide you or any of your contractors with the ability to customize their code for your needs.


But you should probably read the following to find out why "Automated
Intrusion Protection" isn't something you necessarily want to begin with:

http://online.securityfocus.com/infocus/1540

Doesn't even mention IPS technologies. It mentions session sniping and OPSEC
firewall configuration. That is a different kind of intrusion prevention.

Furthermore, a lot of people are arguing about IPS. In fact, I have debated
this technology on the Security Focus forums before. I also was interviewed in
Network Security magazine about this.


Well, since I've provided you with the evidence you're always asking for, at least you could reciprocate. What makes IPS more than another marketing buzzword?




ISS actually used to have a Linux agent that did this, and they
cancelled it
because nobody bought it.

The fact that Snort already does this, is open source, and is well
supported means that there's no real need for a proprietary competitor.

No, its economics. There is no money to be made in open source.

Heh, that's funny coming from someone who has made money from the open source business model. How do you think you were able to make customizations to Snort and not be forced to release them to anyone else but the enterprise customer who contracted you? That's how open source works.

Think of software as a service, not a product and you'll be well on your way to understanding how the open source business model works. The GPL states that a developer need only release the source code to anyone that the binaries are released to. If you're contracted to write software for a particular company and you release the binaries only to that company, you need to release the source code to that company. You didn't need to give away that new code to anyone else.

This is even evidenced in the very program you speak of: the inventor of snort
founded a business to sell commercial versions of Snort called Sourcefiire
(which my firm sells). Sourcefire sensors overcome a lot of management and
administration headaches of Snort. Proving that there was clearly an issue with
Snort that prompted the need for a commercial version.


Maybe you should read this:
http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-ids/2002-07/ 0007.html

This explains exactly why the owner of Snort decided to fork the code. It has nothing to do with economics.

As responding to hyperbole and opinion about business is taking to much of my time, consider this my last post on anything but Linux security vs Windows security. You've dragged this thread everywhere around the subject, instead of keeping to the issue (read the subject line, incase you've forgotten). It is getting less and less meaningful to the primary audience, and is becoming more and more a public flame-war.

The economics of Linux are a completely irrelevant matter. If you want to talk about the business of Linux, please feel free to e-mail me off-list. Although I feel I should correct you before I sign off: Red Hat is currently worth a little over a billion dollars. Mandrake's woes stem from venture capitalists asking "business people" to manage the company. The hired "business professionals" proceeded to dot com the company into e-education instead of concentrating on Linux. In the last year, Mandrake has fired the management team responsible for their current state and increased profits over 445%. So now that they can concentrate on the future of the company rather than paying off creditors, they should soon be back in black. It's called Chapter 11, it's where many of the airlines you fly on are right now. It doesn't mean that they don't work, it means that they can restructure.





^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.


Follow-Ups:

References:
Re: Security followup: From: Andrew Plato

Previous by Author: Re: Security followup
Next by Author: Re: Security followup
Previous by Thread: Re: Security followup
Next by Thread: Re: Security followup

[Top of Archive] | [Author Index (this month)] | [Thread Index (this month)]

What this post helpful? Share it with friends and colleagues:

Sponsored Ads