tag:blogger.com,1999:blog-4088979.post112007591841269617..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: "IDS Is Dead" Prophet Misunderstands "Sniffing"Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-1128149512007068782005-10-01T02:51:00.000-04:002005-10-01T02:51:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1120692142676876742005-07-06T19:22:00.000-04:002005-07-06T19:22:00.000-04:00Sheesh -- it's not like I didn't post a follow-up ...Sheesh -- it's not like I didn't post a <A HREF="http://taosecurity.blogspot.com/2005/07/gartner-analyst-suffers-editing-issues.html" REL="nofollow">follow-up</A> story that shows Mr. Pescatore was the victim of poor editing and that he originally meant to use the term "scanning."<BR/><BR/>I guess I should not have called Mr. Pescatore the "IDS is dead prophet," since that title might belong to <A HREF="http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp" REL="nofollow">you</A>? :)<BR/><BR/>"Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled," said Richard Stiennon, research vice president for Gartner. "Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities."<BR/><BR/>I do not disagree that firewalls have integrated IPS functions by inspecting layer 7 traffic. I think this is a good idea and the natural evolution of the <I>firewall and IPS</I> as <I>access control devices</I>.<BR/><BR/>The IDS is not an access control device, however. The IDS should be used as a device to detect access control and security policy failures. In its network audit role, it should keep track of what's happening on the network, and provide that evidence once an analyst knows where to look.<BR/><BR/>Do you think protocol analyzers are "market failures" because they only detect traffic and don't block it? Of course not -- different roles, different utilities.<BR/><BR/>I've written several <A HREF="http://www.taosecurity.com/books.html" REL="nofollow">books</A> on this subject that I don't want to summarize here. At some point I'll try to write a short article about these ideas, however.<BR/><BR/>Thanks for stopping by!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1120691173741183262005-07-06T19:06:00.000-04:002005-07-06T19:06:00.000-04:00sheesh. How snooty to think that the security prac...sheesh. How snooty to think that the security practitioners can co-opt terms like "sniffing" (which means to inhale through the nose for the purpose of *smelling*). JP obviously meant that hackers where snooping around looking for vulnerable systems. The context says it all. <BR/><BR/>and in all fairness you should not tar JP with the "IDS is Dead" brush. Although he was supportive of the concept at the time because he is a great proponent of stopping attacks as opposed to watching them. <BR/><BR/>http://www.netforensics.com/inthenews_article.asp?id=19Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1120151935180641542005-06-30T13:18:00.000-04:002005-06-30T13:18:00.000-04:00I know that John knows the difference between snif...I know that John knows the difference between sniffing and probing. He probably used terms the general masses would understand. <BR/><BR/>However, you guys are right. Security vernacular is no longer vernacular. The visibility of our field (security) among lay people and security ignorant IT people is much higher now than previous years. Therefore, a definition of a certain term will slowly be transformed over time to mean something else. Look at term "hacker" for example.<BR/><BR/>I was on an engagement where an IT professional for a very large govt. agency referred to IDS as a "probe". He asked the question "how many of these probes are you going to install?" This person was a senior engineer with this agency for at least a decade. If this catches on, we may be referring to IDS's as "probes". What a shame.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1120103009858474822005-06-29T23:43:00.000-04:002005-06-29T23:43:00.000-04:00I tend to use the term sniffing more on the networ...I tend to use the term sniffing more on the network troubleshooting side then on the security side of the house... <BR/><BR/>can't we all just get along!<BR/><BR/>Just kidding, but I'm right there with ya Richard.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1120081307932581332005-06-29T17:41:00.000-04:002005-06-29T17:41:00.000-04:00[i]I do not know what motivated an outfit like Gar...[i]I do not know what motivated an outfit like Gartner to apply "sniffing" to the scanning activity in question.[/i]<BR/><BR/>Money? Being the first one to press? I think the more general question of what motivates Gartner (oops, we're back to money again, aren't we?) would be more applicably applied.<BR/><BR/>I'm with you regarding specificity of language in the security profession. But the media "drones", to coin your term, have already bastardized the use of terms like "virus", "worm", et al, beyond the point of recognition. I guess Gartner's got the "what the heck, why not?" attitude about it all. <BR/><BR/>H. Carvey<BR/>"Windows Forensics and Incident Recovery"<BR/>http://www.windows-ir.com<BR/>http://windowsir.blogspot.comAnonymousnoreply@blogger.com