« Are IDS/IPS's becoming the next birds? | Main | Ben Roethlisberger, Jewish or not, get well »

June 14, 2006

IDS/IPS for the birds

Mike Rothman and Chris Hoff both have written articles in response to my recent IDS/IPS evolutionary article.  Rather than comment to both of them, I thought I would respond formally here.  So here it is.  Jm_archeopteryx_1 First of all Mike, you are showing your age with the Rodan stuff. I of course knew exactly what you meant, but my 4 year old would not have a clue.  However, ask him about Archeopteryx and he will tell you it is a dinosaur turning into a bird.  He can also tell you just about any dinosaur and what it eats, but kids today are smarter than we were, but I digress.  Back to the IDS/IPS stuff. Mike, I think it is more like I heard from a IDC analyst once. A security technology has a shelf life of 24 to 36 months and then it gets subsumed into another newer technology. To paraphrase Douglas MacArthur, old security technologies never die, they just fade ... into something else. 

Specifically with IPS, one can make an argument that they have never caught on as expected.  The selling of these products is mature, but the use of them is not.  I think people are not using them as intended.  Most people do not enable anywhere near a full rule set and are still hesitant to let them block automatically, except for the most rudimentary traffic.  Even though it has been 2 years since the famous/infamous "IDS is dead statement" from the G men, people are still using IPS as IDS.

The perimeter is no longer where the battle is being fought.  I think castle and moat perimeter security is like the Maginot Line in WW II. The bad guys are going around, through and behind the perimeter.  What defense is valuable at the perimeter can be delivered by the today's UTM's and mult-purpose appliances.  We have seen this for some time at StillSecure.  People are interested in putting IDS/IPS at the core, hence the need for 2, 4 and higher Gbs functionality.  Internal security is where the battle is being fought today.  I think Chris is right on in this regard.  I think the next evolution is as Chris says, UTM for internal security.  I also agree with Chris that todays behavior based IPS's are not the answer. I think they are good monitoring solutions.  However, I think internal security is going to be tackled by a new class of technology, much like a CounterStorm and those type of folks are doing.

As to post-admission NAC, I agree with Mike that it does have a place at the table. However it again is not just at the perimeter or just for VPN's.  People are logging on the network from all over the network, inside and outside, wired and wireless, with managed devices and unmanaged devices.I think pre-admission NAC gets built into the network fabric as well.  I did not mean to single out Sourcefire, I could have picked any number of companies who have moved this way in the last 6 months.  The issue is, the market has not matured enough to clearly distinguish between these types of approaches and so the waters are muddy.

Posted at 12:16 AM in General Security, IDS/IPS, NAC, other security companies, StillSecure stuff |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d834cd696069e2

Listed below are links to weblogs that reference IDS/IPS for the birds:

Comments

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Blog Networks

  • Find the best blogs at Blogs.com.

StillSecure, After all these years, the podcast

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About