TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Intersting observations in general however there is an issue that ISS specialists in the main are still not totally clear with how the network ICE software which now forms the base for ISS products works and the differences it has made in IDS technology. A lot of what has been said is true and I would like to comment further on your points! The key to the success of Network ICE and why ISS paid close on 200 million for a Company that turned over 15 million in it's previous year was HOW it did things. The real issues with IDS pre Betwork ICE was a reliance on signatures in the main with some low level protocol analysis that was rather specific coupled with using the packet sniffing of the OS, e.g NDIS in Microsoft and libpcap in UNIX. The developers of ICE did not use rocket science but looked at the main issues of IDS which were:- Speed, IDS was too slow to catch a cold! Most systems started dropping packets at 40% load and many almost quit at 60% load on a 100MBps connection --- not good! Complexity, signature based required a lot of power as well, comparing hundreds of signatures against a packet Evasion techniques, polymorphic coding etc. were rendering IDS systems innefective. What they did in simple terms was just very very smart, it is not revoliutionary, however it required very specialised skills based on 10 years of knowledge, (the same guys who built the Expert Sniffer and CyberCop). The one thing that does not change in networking is TCP/IP in terms of it's rules and protocols, (sure we get new subsets and some changes but these are uniform and known). If you could build a full 7 layer protocol analyser that could work in real time and apply processes to packets before they "left NDIS" and used an integral firewall you could "head the indians off at the pass" to defeat attacks and identify suspicious activity in real time! Impossible -- yes -- but they did it! The ICE engine which is now in use in Realsecure Network and Server sensors does just this. In addition by using protocol analysis along with signatures you can identify by the type of packet what type of attacks could be in the packet so you only need to compare a limites number of signatures, REALLY fast! But the big one is morphed attacks and evasion techniques together with "new" attacks! If I tried for example to include data that may have no effect but would change a signature the system will recognise this as it interprets the packet based upon IP rules and it will fail! Because most new attacks are constructed using old ones as a base if we know all about the old ones and have their structures carefully stored, (which ICE did), then we can ever recognise new attacks in many cases without any signature update! ( I personally saw a Guard, in-line IDS fro Networtk ICE now called Realsecure Guard, detect and prevent a "new" attack worm without knowing what it was! I cannot now recall the name but it is now regarded as common!). The beauty of such analysis is that you can identify suspicious data which may be unknown. The real point of all this is that signature or pattern matcjing IDS is becoming redundant with the development of ICE. So why are people so obsessed with writing signatures and signature updates so much? Why this paranoia and why is it asll so complicated? Well, it is a bit like comparing a stick shift to an automatic gearbox! The "boy racer" or "that is how it is always done" person will often insist the stick shift is essential but modern automatic gearboxes refute this. For example a colleague who was retiring recently bought a Mercedes and waited for delivery for a while as he was insistent on a stick shift ------ it was what he was used to. I asked why and he said it was because he pulled a Caravan, (Trailer home), and he needed to carefully control the gearbox and the power. You could not do better than an modern automatic gearbox in this case! I know, I spent 6 years working in the desert and drove off-road continually using a 3 litre supercharged petrol engined 4-wheel drive with ----------- an automatic gearbox, others got stuck --- I did'nt. Many peoiple involved with IDS and security think it is necessary to have all this manual control, it is'nt any more! Thinik about it, you see endless queries here about Realsecure and hardly ever one from a user of the original Network ICE systems, I actually had a customer on a training course comment about that and sday he is amazed people will put up with such complexity when his system "just does it"!! So why do ISS keep all the complexity of enabling signature composition, ability to use Snort signatures etc.? Becuase you guys want a stick shift! Sure that is very general and I am not saying there are not instances where you may wish to customise for specific reasons in your environment so it has to be there, but you don't need it to stop 99.999% of attacks or identify suspicios attacks, ICE changed all this. By now you probably think I used to work for Network ICE, well I did'nt but I wass the first ICE reseller in Europe and quite frankly by proving the above I initially caused ISS and others real heartache in taking business from them. When ISS purchased Network ICE it was the smartest act in IDS history. Want to know why ISS slays Dragon?? Read above again! I have very detailed documentation on the ICE systems which are now employed in Realsecure should you want to see it. JT
