OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Symantec IDS Experts????????????????????
From: Elliot Turner (eturnerINTRUSION.COM)
Date: Tue Oct 17 2000 - 17:10:29 CDT

Gene,

Thanks for the response. I'll address each of your points below:

>Why do you need commercial support if you can configure and support
>the beast yourself? It feeds back into the comment "...people buy
>commercial products primarily due to the lack of expertise in
>configuring and maintaining open source systems."

Configuring and maintaining an IDS is only half the battle. There are lots
of other issues
to deal with that most organizations aren't equipped to handle, ie:

 - writing new protocol decoding modules

Writing a protocol decoding module (implementing a RFC standard) is no easy
task. In addition,
open source solutions such as Snort don't even allow you to write protocol
decoding modules. These
systems are based on network grep techniques (an old and unreliable form of
attack detection) that
most vendors have given up on. Network grep is highly prone to evasion
tactics and false positives.
This goes back to my original statement regarding current open source
solutions being based on out-dated
technology.

 - writing new attack signatures

While _some_ organizations _may_ have an individual on-site with the
networking and attack knowledge to
write an attack signature, this is not some "occassional task". New
vulnerabilities are discovered
every single day, and many discovered vulnerabilities are not released with
exploitation details. This
leads to two problems for open source developers:
 1. Time - Monitoring security mailing lists, vulnerability archive sites
and other resources for new
    vulnerability information is a full-time job. Most IDS vendors emply
entire teams to do such
    activities. So you could either employ a full-time engineer (an entire
team, really) to write signatures
    for your open source solution, paying each engineer $80,000/yr or more,
or buy a commercial offering.
 2. Information - Vulnerabilities are often published without exploitation
details, depending on the publishing
    organization or vendor. This requires reverse engineering work on the
part of the attack signature writer,
    to discover the method of attack and write a signature. So the (Time,
#1) factor is increased even further.

 - preventing new IDS evasion tactics

IDS technology is an ongoing war, where attackers attempt to discover new
methods to subvert the systems and the
IDS software producers employ protective/detection measures. Lots of
evasion methods exist, beyond simple
fragmentation attacks. For a starting point, refer to the Ptacek/Newsham
paper on IDS evasion (wonderful read).
So add on some engineers to constantly stress-test and re-code your IDS to
handle new evasion attacks, at a
minimum of $80-100k/yr each.

In regard to being cost effective, your open source solution has just
escalated from being free to well over $300-400,000 per year in maintenance
costs.

>Additionally, when you talk about management infrastructures, you
>really need to explain which ones you mean. I very easily set up

Integration into facilities such as CA Unicenter, HP OpenView, etc. If
you're managing an enterprise network
with dozens or hundreds or remote sites, you need to have your IDS integrate
into the rest of your management
infrastructure.

>While I wouldn't put snort up against the full-fledged commercial
>IDSes out there now, I may do it in a year. All things being equal,

Snort is several years behind the top-tier commercial offerings. If much
effort was put into Snort over the
next year, it would still be behind. (IDS vendors don't simply create a
product and start development; it's
an on-going process). I personally believe that IDS is far too much of a
"niche" area in the open source
community to attract sufficient developers to truly compete. In addition,
IDS knowledge is held by a very
few individuals, and thus the available pool of developers is quite small.

> I would also take an open-source IDS as my system instead of a
> commercial one ANY day; I know how to make open source systems work,

This isn't a valid argument. That's like saying, "I know how a steam engine
works, so forget
modern automobiles". Solutions should be based on their technical
capabilities and whether or
not they are suitable for deploment, not if you understand their internals.

> and saving money (while being technically proficient) will ALWAYS
> make me look good to management.

You won't look good to management when your network gets compromised because
you're using 2-year old
technology that isn't suitable for production environments.

Security is no laughing matter. If someone isn't truly concerned about
keeping out attackers, and is
just "interested" in the occassional knowledge of who's doing what on your
network, they should run snort. It's
an adequate solution in this case, because this type of person isn't looking
for an IDS. They're looking for a sniffer toy.

Someone who is truly concerned about protecting their network wouldn't run a
system that can be easily evaded
with tactics that are years old, and is utterly unmaintenable from a
resources/manpower standpoint (see my three points in the beginning of this
message).
Thx,

Elliot