Tuesday, May 10, 2005

Sourcefire Founder Demolishes IPS Advocate

Many thanks to ghost16825 for pointing me towards this excellent InfoWorld article: The great intrusion prevention debate. The article pits Sourcefire founder Marty Roesch against TippingPoint Chief Technology and Strategy Officer Marc Willebeek-LeMair. Folks, this one is not pretty. Marty demolishes Dr. Willebeek-LeMair by correctly arguing that IPS (called layer 7 firewalls by the Blog and elsewhere) is "a step in the right direction, but... the infrastructure itself can be orchestrated effectively to provide a much broader capability than just point defense in the face of a pervasive threat." Dr. Willebeek-LeMair's main defense: "To be as polite and as succinct as possible: You are simply misinformed."

This debate shows how a hardware vendor with a fast packet processing systems thinks he can change the world. Dr. Willebeek-LeMair's market-speak falls flat when critiqued by an actual security expert (Marty).

I highly recommend reading the entire interview. Some of you may remember the promises made by firewall vendors and see that the IPS claims are eerily similar. While I agree with Dr. Willebeek-LeMair's assertion that "IPSes will be integrated within switch and router elements" (it's happening now), the IPS is not a panacea.

2 comments:

Anonymous said...

Pointer to Ptacek's blog about this post and the article in general:
http://www.sockpuppet.org/tqbf/log/2005/05/roesch-vs-tpti.html

-srh

ghost16825 said...

Not to beat my own drum..but...Ok then I'll be honest: this post is just to satisfy my ego I guess.

As, I posted here: http://www.dslreports.com/forum/remark,13370759 one of the main reasons why Dr. Willebeek-LeMair might feel he can get by with 'market-speak' as you put it is because the term IPS is undefined, even within this debate. Some of the points he puts forward may be valid but only if the system is defined as signature-based OR anomaly-based - one or the other. As such the reader can only guess whether the systems he is referring to are a fuzzy mixture of both or based on some 'magic' algorithm. But I'll be the first to admit that my technical knowledge of IPS systems is less than many others more qualified than me, so there may be other 'types' of IPS systems that I haven't mentioned.