StillSecure, After All These Years

Mike Chapple over at SearchSecurity has a good article up on whether IPS are mature enough for enterprises to deploy.  Some may say that Mike has been asleep at the wheel, because certainly there have been plenty of IPS appliances sold over the last 3 to 4 years. Mike comes to the same conclusion I did almost 2 years ago in this article. Namely that the selling and marketing of IPS has far outstripped the actual performance of these devices. As Chapple says, "While today's IPS devices can keep up with high-speed network connections and process rulebases more efficiently, I'm not sure that the technology itself has matured; in fact, it hasn't really changed much at all." 

Just as I said back then. people today are still using IPS as IDS. In spite of what Richard Stiennon said back in 2003, it is still the fact. Those that have ventured beyond pure IDS do so on a limited basis. Mike lays out three best practices that most who are successful with IPS adopt:

1. Run the IPS in "monitor" mode until it's clear that the system is properly tuned. We have been recommending this with our Strata Guard IDS/IPS for years. In fact we have a tuning wizard which gives you a real leg up in getting started with your tuning.  In essence though this means that you start off not blocking anything,and only after seeing what is really happening on your network do you selectively start enabling blocking of specific types of attacks.  You don't just turn on every rule to block.  This advice is similar to what our best practices in NAC recommends as well.
2. Keep the number of "block" mode rules to a small, finely tuned set. Again this is something that has been the reasonable route for a while now.  Most IPS today runs in a hybrid IDS/IPS mode. Be selective in what you want to actually block verses what you just want to alert and/or log.  Too many rules set to block will lead to failure.  Being smart about which rules are set and grouping attacks to trigger a minimum amount of rules is key.  I have seen rule sets where one kind of attack can trigger multiple signatures.  This will fire more blocks than necessary and burden your system for no reason.  Don't overlap your rule sets if you are using Snort!
3. Consider using a fail-open device. In line devices are a single point of failure. If your IPS does not offer some sort of bypass or other fail open device, you are asking for trouble.  Also, don't settle for the sales guy telling you the software or appliance is designed to fail open. In a power failure that isn't going to help. Make sure it is a self-powered bypass to be sure.

All in all it was a good validation for me to read this article. I think IPS is at a critical mass of adoption today, I just don't think it has reached a critical mass of utilization yet.  But progress is being made.

TippingPoint announced their Core Controller appliance today. It is a 10GBPS in line IPS. Actually what it sounds like it is, is a network controller that load balances traffic among several conventional Tipping Point boxes and than puts the flow back together and passes it on.  Sounds cool, but I would like to see the latency involved in doing this.   Sounds like a lot of moving parts.  It also sounds a lot like the way Hoff used to do things over at Crossbeam Systems.

The real question for me though is not whether or not this new appliance does line speed IPS or not.  The question is do we still want our IPS as stand alone IPS or do we want it as part of UTM. Mike Rothman in his 2008 Days of Incite talks about "best of breed DOA". In it Mike talks about 2007 being a year where customers clearly voted for integrated solutions over individual best-of-breed.  He also says 2007 was the year the first open source perimeter platforms hit.  I like to think he is talking about Cobia. But 2008 will be an even bigger year for Cobia functionality! The bottom line though is except for the Ferrari crowd does anyone want to buy a stand alone IPS? Mike says it best when he says. "Market maturity kills product innovation".

Yes people buy UTM for one application at first. It could be firewall, it could be IPS or gateway AV, URL filtering or anti-spam. But they like the idea of getting more than what they just needed and paid for.  They figure they are going to turn on the other stuff soon enough anyway.  Plus they get it all from one vender.  So on this one, I have to agree with Mike.  I think people will buy UTM over single purpose security solutions in increasingly greater numbers in the months to come.  Agree?  Disagree?  Leave a comment with your opinion.

In the case of the 3Com-Bain-Huawei merger it is spelled "sell Tipping Point". As has been widely reported since this deal was announced, the fact that a Chinese company would own a substantial stake in an IPS/security vendor has caused significant heartburn within the Federal Government. This same issue kept Sourcefire from being acquired by Checkpoint (I bet that 200+ million looks good right about now).  Todays article in the Washington Times indicates that Bain has officially notified the Treasury Department of its mitigation proposals including the selling off of Tipping Point.

In my mind the question is: Will that be enough?  Is it only the Tipping Point stuff that causes the issue?  Does 3Com have other sensitive technology.  I don't know, but I am sure the recent arrest of 4 Chinese people on espionage type of charges did not help the Bain position. Also, do you spin Tipping Point off as a public entity. If not do you find an acceptable buyer.  Does the fact that the buyer would have to be a US based company decrease the potential buyer pool, making Tipping Point less valuable?  All of these are great questions that are going to need answers before this deal is finalized.  In the meantime is being in M&A limbo taking its toll on 3Com.  Questions, questions, questions, but I don't have the answers.

I have probably written about this before, but my frustration just continues.  Doing some research into the bandwidth capacity versus price in the IPS market.  I don't understand why we let this circus continue.  What does 1Gbps mean to you?  How about 2 or 4 Gbps. It could mean unidirectional only or it could be bi-directional.  It could mean only certain kinds of traffic like http (a recent announcement of 6 Gbps snort on standard hardware seems to be only http traffic). It could mean only tiny packets with no large packets.  In fact it could mean anything at all. 

I know NSS tests IPS, but do they test the throughput claims of vendors?  We need standards so that apple to apple comparisons are possible.  No matter what car you buy, 60 MPH is 60 MPH.  We need similar standards in IPS!

Well it is looking pretty clear now that if Bain and the Huawei folks want 3Com they can't have Tipping Point as part of it.  According to this article in VNUnet.com, the authorities in Washington, DC have made their feelings pretty well known.  Now the Gartner people have come out with a report that says the same thing that many of us in the blogosphere said when this deal was first announced. I personally think the buyers would rather not spin off Tipping Point for no reason other than that it represents a sizable chunk of revenue.  Hey, my attitude is if they wouldn't let Check Point buy Sourcefire, there is no way they can let Huawei buy Tipping Point.

I also wonder how this would be different if Mitt Romney were President, given that his Bain connections.  I guess we will have to wait and see.  Easy for most of us to say, but what about if you are a Tipping Point customer (especially in the US government)? 

For a long time now (measured in internet time anyway) the prevailing attitude has been IDS is dead, long live IPS.  Many including myself attribute this to Richard Stiennon while he was over at Gartner.  Since that time certainly most IDS vendors have either shriveled up and died or evolved into IPS vendors.  One of the dirty little secrets of the IPS game though has been that customers are still using their IPS as IDS.

According to this article by Bill Brenner over at Search Security anyway, those hippie-dippie analysts at the Burton Group and Chris Liebert at Yankee Group (funny I thought Chris left. Either this is a real old article or she is back), say that IDS is very much alive and will be around as a stand alone product for years to come.

In fact the Burton Group thinks that IPS will not remain as a stand alone product and will instead be totally subsumed into firewalls, UTM and the like.  IDS on the other hand will remain separate to monitor networks and actions according to them.

This is where I disagree.  I think IDS is also part of other technology (NAC, UTM, etc.).  I do not see it as a stand alone product though anymore than IPS will be.   As the fellow from Core Security points out in the article, people want automation.  That would seem to point to IPS over IDS.  Overall I think standalone IDS/IPS will always have some market as a stand alone (especially at the high end), but the majority of deployments will have this technology combined with other security technologies.

Like many of you out there, I have been encouraged this past year to see the return of the IPO as a potential liquidity event for technology and even security companies.  Companies like Sourcefire, Aruba Networks and Blade Logic have successfully debuted.  Today's VMWare IPO was almost a throwback to the good old days, with the 29 dollar opening price topping out at $51 dollars a share at the end of the day.  However, before the good karma of this can even sink in, we see evidence of fools rushing in to kill the goose that lays the golden eggs.

I was reading on my buddy Chris Harrington's blog tonight that one of his former companies, NitroSecurity has filed for their IPO. I personally have nothing against Nitro and wish them the best of luck.  But filing for an IPO for this company just struck me as a bit crazy.  So I followed Chris's link to the Mass High Tech Journal and read the article myself.  After my first read, I was not sure if this was some sort of satire or other cruel joke.

According the article Nitro is looking to raise as much as 55 million in an IPO to be listed on NASDAQ. "Last year, the company reported a $10.4 million net loss on $2.3
million in revenue. During 2005, NitroSecurity posted a net loss of $12
million, according to the SEC filing."  Are you kidding me?  Revenue of 2.3 million, 10 million loss, coming off of a 12 million dollar loss and I can only assume less revenue?  And they want investors to pay for this.  Do they think with all of the smart money leaving the real estate and mortgage market (maybe that is where the smart money is going right now), people will buy anything in the stock market.  This just sounds hokey to me.  Especially offering one share of common stock and one warrant for each share of stock purchased.

I swear I had a deja vu back to the bubble days when companies with a business plan would IPO instead of going to VCs for money.  These types of offerings will quickly kill any momentum being built up in this market and once again close off the public markets as a potential exit for technology plays. I hope wiser heads prevail and put this potential offering back into the realm of fantasy it sounds like it belongs in, for all of our sakes.

Its Black Hat and the fur is going to fly this year it appears.  Those two wild and crazy guys of Mac attack fame, Dave Maynor and Robert Graham of Errata Security lead things off this year. According to this article in Dark Reading by Kelly Jackson Higgins, the former ISS guys are going to demonstrate how Black Hats can reverse engineer zero-day signatures like those used by Tipping Point to figure out where these perhaps unknown vulnerabilities exist and how to exploit them.  Lets be clear Maynor and Graham say that this is not a Tipping Point only problem. But that is what they will be demonstrating.  Could be a little payback from back in their ISS days.

This calls into question the whole zero-day initiative thing that Tipping Point runs.  Is it just taking hacks and leading other hackers to a trail on how to exploit them?  Tipping Point actually temporarily removed ZDI updates from IPS's after receiving word on this.  Now Tipping Point customers have to "opt in" to receive these signatures.

According to Graham, the whole ZDI does not give Tipping Point any insight or understanding and just encourages black hat activity.   He suggests that IPS vendors stop sending the source with the signature updates to make it harder to reverse engineer.  It should be interesting to see how IPS vendors react to this.

Wanted to write about the recent press around Wesley Clark's appearance before a US House Committee regarding the leakage of classified information via P2P applications. Jaikumar Vijayan has a good article up on Network World about it. It looks like my friends over at the 360 Security blog by nCircle beat me too it. However, let me give my two cents on it anyway. 

At first blush I thought this was just Clark pitching a company   he is on the board of called, Tiversa. Here is some of his testimony:

"There's all kind of data leaking out inadvertently," he told the commmittee, noting that the documents he cited were "simply what we found when we put the straw in the water. The American people would be outraged if they are aware of what is being inadvertently being disclosed on P2P networks."

Tiversa seems to have an enterprise solution/service around P2P leakage. I thought to myself, how powerful is retired General Clark if he can get a Congressional hearing on this stuff for a company he is on the board of? Crap, maybe we should get him on our board.  But after reading more it became obvious to me that this is a real problem and it is not just Lime Wire.  Though they appear to be the butt of the committee's wrath right now. 

The good news is, this is a relatively easy problem to thwart and I don't think you need a monitoring service.  The nCircle people talk about "continuous compliance". I guess that fits right into their recent acquisition of I forget the name of the company.  But there is more than one way to skin this cat.  Using StillSecure's Safe Access NAC solution, we can check every device coming on the network for the presence of any P2P application and not allow it on.  Using a good IPS like StillSecure's Strata Guard you can filter our P2P traffic and block it.  Of course the StillSecure products are not the only ones in their class to offer this. 

The bottom line is, any US Government IT manager who is not implementing one of the many solutions available to thwart P2P applications and traffic, in light of this testimony deserves what he gets.  Namely to be the next one to achieve 15 minutes of infamy due to sensitive information being leaked out of a network they are responsible for.

Marty Roesch of Sourcefire/Snort put up a long blog post today explaining some recent actions by the Sourcefire team on the legal front in terms of GPL licensing and copyrights.  For those who remember, I have written here and here about what I believe is a change in the licensing of Snort with the forthcoming 3.0 version. For those who may also remember, I was taken to task by some for daring to question the infallibility and pure intentions of the Sourcefire folks.

Well in Marty's post today he talks about three recent events.  From Marty's blog here there are:

1) GPL v2 lock that we put in place on June 29th.
2) "Clarifications" in Snort's license language (Snort 3.0).
3) "Clarifications" with regard to assignments of ownership for contributed code (Snort 3.0).

Lets have a look at these. The first deals with the fact that with the release of GPL v3, Sourcefire put a caveat in place saying that Snort could only be distributed under version 2 of the GPL.  Frankly, they are perfectly allowed to do this for the code they own.  I have two issues with this though:

1. Instead of saying that they don't like the v3 of the GPL, Marty says that he got a heads up about people being able to change versions of GPL just 3 weeks ago and the Sourcefire folks have not had a chance to look at version 3 but they know Linus was not moving Linux too it.  I don't know about you, but if my code was released under the GPL, I probably would have been following it for at least the last year and the many draft releases that were sent out.  Its not like version 3 snuck up on anyone.  Sourcefire is a public company now, you would think they would be all over this. Is Marty really the only one watching this and until he found out no one there had a clue?

2. More importantly, it seems that Sourcefire does not own the copyrights to all of the code in Snort. In making the change prohibiting the use of GPL v3, Sourcefire took it upon themselves to change the source file header preambles of all the source for Snort, including parts they did not own.  Obviously some of the folks who owned and contributed the code were not made aware and did not give their permission.  Marty claims there was not time.  Again, it was not a secret that v3 was coming out, but he acknowledges this was a mistake and apologizes. Marty says they will fix this.

Next and most important to me is the changes in 3.0 licensing.  Marty comes out and says that plainly the "clarifications" they have made in the 3.0 license is aimed at "companies that are using Snort as a part of their product or service. Many of them seem to expect us to work on this technology and improve it continuously so that their offering is cutting edge but contribute nothing to the project and complain bitterly whenever we do something that might cost them some money to continue to use a best-of-breed technology like this."  Marty goes on to say that they are just clarifying what the GPL says all along.  I have already written on this.  I and the attorneys I have spoken to don't believe that. I think the clarification put forth by Marty and Sourcefire is plainly a change to the GPL.  I don't care if NMap has done it or anyone else for that matter.  It is a change. I do not begrudge Sourcefire the right to charge for their software.  I just say don't use the GPL as a shield. 

Marty and Sourcefire however are in a difficult position.  They are kind of stuck with the GPL because they took code from others under the GPL and now if they want to change the license away from a GPL license they are stuck with.  So they have no choice but to say the GPL means what they want.  In my mind this is no better than what Marty accuses others of, namely claiming the GPL gives them the right to do what they want. 

This is exactly the reason we did not use it with Cobia.  At the end of the day, what Marty and team are seeking to do is exactly what we wanted. That if you are not making money selling the product, it is yours to use for free and you get source code. If you are making money you should use a commercial license.  Bitch and moan all you want about open source or not, but Marty and we are trying to accomplish the same thing.  Marty is constrained by the GPL and we choose not to be.

Lastly Marty talks about something which has raised some comments on the snort list.  It seems if you contribute code to Sourcefire, they in essence "own" the code. I am not sure if this was always clear to everyone who contributed code in the past.  My impression is that it was not, based upon the reaction to this.  Again, I don't begrudge Sourcefire being able to do this and Marty gives some good reasons why they need to. I just think you need to be open and upfront about this from the beginning, like we are with Cobia, again. 

So what can Sourcefire and Marty do about this. I think they are faced with either paying the people who wrote code in the product and buying them out or rewriting portions of the code so they own it all.  Anything less is just plain messy.

In the meantime, Marty posted his comments to the Snort list.  I responded with my take on this. I am pleased to see that several other members of the list have responded as well.  So far they seem to agree with my take on it.  In fact one post actually used our Strata Guard Free as an example of what looks like a legitimate use of Snort under the GPL that Sourcefire would probably like to change.

So in spite of comments and admonitions of others, it would appear I was not so crazy after all.  I will keep an eye on this and write more about it as it happens.

OK, I didn't read this in a fortune cookie, but I have heard it from multiple sources in the analyst community over the last weeks that 3Com is spinning off Tipping Point.  I guess someone had to pay for buying out the Huawei partnership. Seriously, lets look at what this could be about.  First of all I understand at first blush that this could look like the EMC-VMWare spin-off, where EMC is just selling 10% of the company off. I understand that initially 3Com will spin off just a % of Tipping Point.  But my sources tell me that the plans are that they will follow this by selling most or all of their stake in the IPS vendor.  Background is that 3Com paid 425 million for Tipping Point just about 18 months ago.

So why would 3Com do it.  Do they need the cash?  Spin off Tipping Point, establish a market value and then sell stock off in TP piece meal, like going to the piggy bank. I thought they actually had secured funds for the Huawei purchase and were actually still sitting on a ton of cash, so I don't think that is the issue.  Do they think Tipping Point is past  its prime?  IPS is increasingly a commodity business, even at the top end and can Tipping Point continue to grow at past rates?  Tipping Point has tried to break out beyond IPS into NAC. But in my opinion their NAC product was far from best of breed. What do they do to follow up IPS?  They have tried to move into UTM, but with Fortinet, Cisco, etc. that is another rough market.  Much of their special sauce seems to work only on 3Com switches. Maybe the 3Com folks think they can pull out the most value from spinning it off now, before the bloom is off the rose.

Here is another possibility.  Can it be that despite best efforts, it was just a case of irreconcilable differences in culture.  No matter how big the merger, if corporate cultures clash, it just doesn't work.  With 3Com up in Massachusetts and the TP gang down in Texas, could they not work out the roles and get the organizations on the same page,acting as one company?  In my opinion, the Tipping Point folks have always been embarrassed and reluctant to acknowledge that they were part of 3Com. Current 3Com CEO, Edgar Masri has his roots in the 3Com switch and network business.  I don't know for sure, but that could be the real reason for this.

In the interests of full disclosure, StillSecure is partnered with 3Com. We also compete with Tipping Point in the IPS market with our Strata Guard product. We have dealt almost exclusively with the switch folks up in HQ and have not dealt much with the TP folks.  The switch folks we have met are on the ball and seem to know what they want. Recently, 3Com has made some aggressive moves in both the SMB and enterprise switch and network gear business.  In the far east they are still a power and of course the Huawei partnership business has a lot of upside they say.  A 3Com without Tipping Point, I think is still a powerhouse in the network space.  A Tipping Point without a 3Com big brother is going to have to go head to head with some bigger players in the crowded IPS space like IBM/ISS, McAfee, Cisco, etc.  They could be just another player in a crowded field.

As usual, time will tell.  Stay tuned for more details.

Authors note: After publishing I see that Mitchell wrote his own story on this based not upon my sources but from a Edgar Masri interview. I guess that makes it official.

In the interest of fairness, I wanted to highlight a comment I received yesterday from Dan Ingevaldson over at IBM/ISS. Dan attempts to set the record straight on the behavior and protocol stuff in the new IPS box they announced.  Below are Dan's comments.  I should note that I did go to the Interop booth on Dan's suggestion and spoke to the folks there.  They do have their own protocol analysis.  What I was referring to was the deal they have with Arbor Networks, which they sell as a separate NABD type device, but according to the folks I spoke to not part of the Proventia IPS.  They make a big distinction between protocol analysis and other types of behavior based detection.  I will write more about that later.  Anyway, here are Don's comments.

Alan, love your blog, but no idea where you got the OEM bit from.  Not only do we not OEM "most" of our behavioral stuff--we don't OEM any of it.  Anyone at the booth at Interop could have set the record straight, I encourage you to walk on over and inquire.  The core ISS protection engine is called PAM (Protocol Analysis Module) which was released first in RealSecure 7.0 after the ISS IDS engine was "merged" with the protocol-centric engine acquired via the acquisition of NetworkICE in 2001.  PAM works by decoding more than 150 network protocols (more than some sniffers) and identifying network traffic that violates known and unknown vulnerability decodes. These decodes are independent from exploit signatures, used by most IPSs on the market, that are really nothing more than fast regex parsers.  Notice that we don't have to release 300+ updates for a exploit family like our friends who OEM Snort/Sourcefire.  There is no OEM code in the 6gig box or any of the other IPS products. 

What you may be referring to regarding OEM technology is our public deal to integrate BitDefender's signature AV engine into our desktop product line, but even in that case our behavioral anti-malware engine does most of the heavy lifting.  Protection technology is our core and we don't out-task it.

Regarding the 6gig/15gig bit.  You know how this works, when inline IPS became popular, these devices were judged just as much as network devices as security devices.  The more IPS you sell, especially in big enterprise the more important it is to rate your gear on the ability to pass packets as well as pass packets inspected.  Instead of calling a box an N gig box, where N equals the amount of traffic that the device can inspect in ideal lab conditions, we decided to go with a more descriptive rating of performance. 

Dan Ingevaldson
Technology Strategy
IBM Internet Security Systems

Stuck in between the MS/TCG NAC/NAP lovefest out here in Interop land, was some interesting news about IPS.  Whats that you say, how can there be anything interesting in IPS.  Well I guess interest is in the eye of the beholder.

First of all IBM/ISS announced their 15Gbps IPS that really only does 6 Gbps of protection.  I don't pretend to know all of the details here but calling your product a 15Gbps device while acknowledging it only does 6Gbps just does not make a lot of sense to me.  Whatever, but the real knee knocker for me was the price for this monster at 189k!  That is a lot of money for 6Gbps protection.  Especially in light of the continued march of multi-core technology.  Also, look at ISS running away from signature based IPS.  In this article on Dark Reading by Kelly Jackson Higgins,  Greg Adams of IBM/ISS says, "We don't use signatures as our main security mechanism". Interesting in that I was told they actually OEM much of their behavior based stuff from someone else.  Have we seen the day when ISS's IPS is not even based on their own technology anymore?

Next, the folks at McAfee announced thier own 10Gbps IPS.  It won't actually ship until the second half of the year. I am interested to see what the price point on that one is.  Here is something else to ponder, what was it doing being displayed in the Force 10 booth here at Interop?  Is Force 10 technology at the "backbone" of this McAfee device.  Doesn't anybody use their own technology for IPS anymore?  The fact that someone finally got the bright idea to correlate Foundstone/McAfee data with thier IPS data is great.  This actually will bring them in line with what a lot of other IPS's have done for a while now (including btw our own Strata Guard IPS).

Finally, Reflex announced a gigabit IPS using Intel multi-core chips.  Street price of 28k is exciting.  I think that multi-gig IPS on standard hardware is where the action is going to be in the IPS world going forward.  I think with the kinds of prices IBM and the like are throwing around, we could see a disruption in the market if someone can get it done right.

Was reading an article on Computer Business Review today about 3Com.  It mentioned many of the new initiatives undertaken since Edgar Masri took over as CEO.  One seems to be that the 3Com security division (the former Tipping Point), is in talks with several silicon vendors to obtain a chip that will allow it to perform deep packet inspection at 100Gbps speeds (the article calls it 100Mbps, but Masri's comments clearly indicate Gbps. I don't think anyone is going to get excited about 100Mbps IPS at this point.). 

To me this is just a classic case of my marbles are bigger than your marbles.  This boys and their toys mentality may be great for NASCAR racing, but this kind of folly will I think continue to drag down the bottom line over at 3Com.  Who are they going to sell a 100Gbps IPS to and how many can they buy. I disagree with Masri that 100Gbps is at the core of enterprise networks. I can understand being out in front of a market, but when you haven't been profitable for 6 years and as the article points out because of the financial structure involved in the H3C partnership buyout, allocations of expenses make it harder to show profitability, can you afford to chase white elephants.

I think the recent SMB moves with wired/wireless switching and such will serve them well.  Even their recent low cost acquisition and move into the NAC market (OK, I think their NAC product leaves a lot to be desired, but at least it is a start) is a good one.  We are starting to see them in enterprise switching deals as well, though how successful they will be in that market against Cisco and the rest of the switch vendors remains to be seen.  If I were a shareholder in 3Com (and I am not), I would want them to stay away from developing bigger and badder IPS that no one needs and concentrate on the things which will move it from red to black.

In response to my post yesterday a few comments (you can click on the right column to see them) have responded that as GPL, there is nothing really changing with Snort 3.0, Sourcefire in order to "avoid misunderstandings" is defining what they consider to be a derivative work.  I think therein lies the rub.  What Sourcefire is saying is that if you want to do a front end for Snort, you can do so and just point people to snort.org to download Snort which will run separate and apart from the front end (lets not even talk about rules for the moment).  Redistributing Snort with some examples such as:

* - Integrates source code from Snort.
* - Includes Snort copyrighted data files.
* - Integrates/includes/aggregates Snort into a proprietary executable
* installer, such as those produced by InstallShield.
* - Links to a library or executes a program that does any of the above where
* the linked output is not available under the GPL.
* The term "Snort" should be taken to also include any portions or
* derived works of Snort. This list is not exclusive, but is just
* meant to clarify our interpretation of derived works with some common
* examples.

Are under this definition, derivative.  In prior versions of Snort without these qualifications and definitions, they would not necessarily be derivative.  This goes to the heart of what I am talking about. 

When I spoke about possible forks, if you forked off Snort 2.x, the above new definitions around derivative would not apply. 

I am not sure how long the quiet period for Sourcefire is, but when it is up, I would like to see Marty or someone answer this definitively.

This is a question which has come up recently and I understand was a recent topic on a Snort IRC channel.  It seems recent comments by me and on our podcast have raised some questions about what the future course of licensing for new versions of Snort are going to be.  I also spoke about this with Thomas Ptacek of Matasano a while back and we never finished our conversation.  Obviously, I am not the final word on this topic and you should look at Sourcefire for the definitive answer.  However that being said, my understanding is that Snort 3.0 will have some license changes.  My belief is it will still be open sourced and released under a GPL license as Marty Roesch has said many times.  However, the licensing change, again from what I understand, will deal with people who embed Snort into their applications and under current license do not fall under the derivative clauses of the GPL.  So under Snort 3.0 there will be changes to the base GPL as to what constitutes a derivative work.  My opinion is that in essence what is happening here is Sourcefire is going to move Snort to more of a dual-licensed system.

What does this mean?  Simple, in my mind.  If you are going to use Snort as part of your application (as many IDS/IPS vendors do, some publicly, some not so much) and sell that application for money, you are going to have to have a commercial license from Sourcefire.  You will not be able to bundle Snort with your application and not commercially license it from Sourcefire.  Does this effect many of you out there?  Probably not.  If you download Snort and use it on your network or in work, you are fine.  If you use Snort in your product that you sell, than it matters quite a bit. 

I perfectly understand why Sourcefire is doing this.  They see companies competing with them in the market using the work product they have put a lot of time, effort and money into.  They are perfectly entitled to do so.  So yes Snort 3.0 is going to continue to be open sourced.  However, there are changes involved that may effect you if you are using Snort as part of another product.  If this is incorrect or if Marty, Wayne or anyone else from Sourcefire wants to comment or correct me here, I stand ready to be corrected.  Would welcome the chance to clear this matter up.

For those companies using Snort as part of your product, what are your options?  Do you pay Sourcefire whatever their commercial fees are?  Will we see a fork of Snort with the forked version still under the GPL but supported by an alternative community, perhaps Bleeding Edge Community or some consortium of companies that bundle Snort?  I don't know but time will tell.

Well it looks like Sourcefire is the latest company to recognize that IDS/IPS can be easily re-skinned to be a post-connect NAC product.  With the release of their Enterprise Threat Management strategy as detailed in this article in Search Security, Sourcefire will use their RNA passive vulnerability scanner and Snort based sensors to perform post-connect NAC policy enforcement.  While post-connect NAC is a valuable ability, without pairing it with pre-connect NAC, it just does not feel like a full product.  Could be, we see Sourcefire either partner with a pre-connect NAC company or maybe use some of their now diminished public equity to buy a pre-connect company.  I guess we will wait and see, but I don't think what they have now will be sufficient to make a mark in the crowded NAC market.

HP ProCurve announced two products that will further networking and security convergence today.  According to this article by Matt Hamblen at ComputerWorld, ProCurve (which is 2nd in networking port shipments globally) will release ProCurve Network Immunity Manager. It sounds like some sort of IDS type of detection, maybe behavior and signature based that works with ProCurve switches to throttle or stop bad traffic from its origin.  The second product due out in the 3rd quarter, is called ProCurve Network Access Controller 800.  It sounds like a NAC device that works hand in hand with ProCurve's Indentity Driven Manager.  Very interesting.  ProCurve CTO Paul Congdon is this weeks guest on the podcast and he may have a thing or two to say about this.  If you get a chance listen in.

Interestingly, Rob Whiteley of Forrest-er and "network NAC is dead" infamy, says that this network based NAC seems to be a good thing.  Geez Rob, why didn't you say anything about PERM?  Isn't that the future and this network based access control stuff history?  I can't imagine what would make you seem to change position on this.

Michael Farnum has an excellent article up over on ComputerWorld today about SSL offloading.  Michael makes an excellent point that with so many devices decrypting SSL traffic before its intended "end", if that information is then compromised, someone has some 'splaining to do.  A reader comments that he does not consider it to serious a problem, that SSL was to ensure end to end encryption and they just replaced the end.

Reading this article brought back flashes of when McAfee Intruvert first started touting their ability to decrypt and inspect SSL traffic.  They would decrypt at the IPS (often at the gateway) and then send it in the clear to its destination. I thought it was a bad idea then and I think it is a bad idea now.  SSL was intended to encrypt end to end.  When you hijack the end and then send that data in the clear you are defeating the whole purpose of using it in the first place. I understand the need to inspect this traffic, but decrypting this traffic before its "end" is not a acceptable answer for me and is too much of a risk.  Michael is dead on!

SSL offloading / accelerating / load-balancing is scary - Computerworld Blogs

As I have written before I have a lot of respect for Matt Asay and his advocacy of open source.  But I have to tell you that I was very disappointed in his Open Sources blog article today about Sourcefire's IPO. While paying homage to the idea of an open source company going public as a tide that will lift all boats, Matt questions Sourcefire's commitment to its community and its revenue deal size.  I think Matt is wrong on both counts. I am sure Wayne, Marty and the rest of the team can defend themselves, but with quiet periods and all, they probably can't say anything just yet.  They don't need me to defend them, but I want to put my perspective on this one.

First on the issue of community support.  Matt by his own admission is just going off the prospectus.  Matt if you don't know about Snort and what Sourcefire has done with that community, you should not be casting aspersions like that.  The prospectus deals with people on the street looking to invest.  These are not VC's or open source experts, who understand open source business models. If they don't see a clear path to how the community is monetized, they don't care.  But if you are interested, as a Sourcefire partner, competitor and Snort community member, I will tell you that few companies are as committed and supportive of their community as Sourcefire is.  Also, I think you will find few communities that are as appreciative of Marty and the Sourcefire team, as the Snort community is. If you have ever been to a security event that Marty appears at, you would see the admiration for yourself.  Sure there are some who may have other agendas, but overall Sourcefire has supported their community from day one and their community supports them.  Heck, truth be told we don't even use the VRT rules that we license from Sourcefire, but pay our partnership fee to Sourcefire because of what Sourcefire has done for the community.

Also, lets cut to the point on this. For-profit companies pursuing open source business models, whether they be public or not, look to their communities to monetize the business.  Of course it is good business to keep those communities that are supporting you healthy and robust, so any smart business would do so. There is no difference here.  I think Sourcefire has to put in their IPO prospectus how they are going to monetize the community, I don't think any investors are going to care how they continue to feed it.  The fact that the community is as vibrant and large as it is speaks to their commitment to the community plenty.

On the issue of Sourcefire's revenue.  Number one, again Matt I assume you are not familiar with the IDS/IPS market and Sourcefire's products.  I will tell you that $500,000.00 worth of IPS gear is a very large deal.  I bet the average is below 100k.  Matt, this is not ERP software or ECM. I assume when you are talking about companies you know knocking down big deals you mean Alfresco.  Good for you and them.  Are you doing 40+ million dollars a year with those big deals?  If not, don't be casting doubts about business models and products you don't know about.  Frankly, it comes off making you a little green, with envy that is. 

Matt, bottom line is I want you to call them as you see them, but do a little digging around the facts first.

A couple of "experts" over at ZDNet have a "get a clue" blog posting up asking if Sourcefire can monetize Snort.  I would have no problem if they would debate the finer points of Sourcefire's VRT certified rules strategy or do they think we will see a dual licensed Snort in the future.  However, that is not the case here.  Reading the article I get the impression these guys have never heard of Sourcefire before, never heard of Snort before and don't know a darn thing about open source.  All of their information is pulled directly from the IPO filing papers from Sourefire.  Can they look at any other open source companies who have been successful (there is one with the name Red in it, to give you a hint).

Anyone who has been involved in an IPO or has read one of these before knows that you have to put down every possible downside to your business plan to protect yourself from shareholder suits in case things don't go well and people say you did not warn them of the risks.  I guess I just expect more out of these tech journalists.  Another case of if you don't expect anything you won't be disappointed.

A reader asks the question, regarding our visionary status in the IPS Magic Quadrant, if we pay anything to Gartner. I think it is a fair question and deserves an answer.  Fact is, yes like many other security vendors, we do pay Gartner a yearly retainer for "advice and insight" into the market.  Does this mean we bought our position?  I don't think so.  We have actually been Gartner customers for years and frankly it has not helped us much before. 

We were previously a niche player in the IPS quadrant.  We did follow some of the advice they offered, but also let our own research guide our product direction.  Also, in the recent market scope for VA, we certainly took some lumps, as did some others that were surprising to me. 

There is no doubt that Gartner makes lots of money from advising vendors as well as customers, but I don't think you can buy a quadrant position.  Frankly, we don't even pay them that kind of money.  I would throw the question to Amrit, who used to work there and Mike Rothman, who knows a thing or two about this stuff to answer.

Today StillSecure released news that we had been placed in the visionary quadrant of the Gartner Magic Quadrant for IPS.  Make no mistake, I was thrilled by the news. It represents a lot of hard work by our development and engineering team, as well as our marketing team and frankly by me, as I am the person who does most of our Gartner interviews. While it is not the leaders quadrant, I actually took a lot of pride in what being in the visionary quadrant represents.  I realize that our Strata Guard IPS is not one of the top 3 as measured by Gartner in the quadrants.  We don't have multi-gig, multi-segment IPS and this would be needed to make the leader quadrant.  So I started thinking about what it means to be visionary.

Besides sounding cool, what does it really mean?  In my mind it means that we are on the cutting edge in deploying and using innovative technologies that stretch the bounds for what a particular group (in this case IPS) does and performs.  If that is the criteria, than Strata Guard fits the bill.  Building on an open standards base, we have married our IPS to work with and take in vulnerability data from VAM, our vulnerability management solution. We have now also enabled Strata Guard to send out alerts and attack info to Safe Access, our NAC solution and to have Safe Access quarantine devices based upon malicious activity detected by Strata Guard.  This post-connect NAC strategy opens up many possibilities you will see us explore in the coming months.  Also, all three products working together really vindicates our vision of a suite of security products.  This was one of the original building blocks of the company.  Many people have told us that we were crazy to focus on three different products, in three different areas of security over the years. We did not have the resources of a Cisco or Symantec to support the disparate products. However, our vision was that security would move out of silos and inter-operate. This recognition for Strata Guard really helps justify our vision and work. 

Bringing Strata Guard Free to market has taught us many things about building a community and supporting a free product. It has also showed us that there is a viable market in giving out a version of software for free and having people upgrade as needed.  We will use these lessons in future StillSecure products for sure.

So, is the hype over Magic Quadrants warranted?  I think not. I think people put way too much weight into them.  Gartner weighs the products based upon their own customer base.  This may not be reality for most of the world.  At the end of the day though, I think we are all spitting into the wind trying to get people not to pay so much attention to them.  The old saying, if you can't beat them, join them is probably a better business decision (as much as I hate to admit it).

So my esteemed colleague and friend, Chris Hoff of Crossbeam (sounds like we are US Senators or something) takes offense to some of what I wrote earlier, about the bump-in-the-wire statements of Brian Smith of 3Com/TippingPoint.  First off, let me say that Chris is right, usually we are on the same page on most issues that float around the security blogsphere. However, there is something that will cause us to disagree almost every time.  That is when his best interests and those of Crossbeam don't coincide with mine and those of StillSecure.

Chris is right, Tipping Point is certainly a competitor on the IPS front and I think will try to move into the NAC market as well (they may already have, if you listen to them).  However, Chris's view, we should be clear on, is influenced by his biggest competitor being Cisco, a company who is moving security into the switch and network infrastructure in a big way.  So I would expect Chris to take a contrary view on this one.  However, at the end of the day I suspect we don't disagree as much as it appears. I think the knot at the center here is how we define bump-in-the-wire.  Also, not to be ignored is the view of Michael Farnum, who unlike Chris and I, does not have a vested interest here.  Actually, on second thought Michael is not the innocent he once was, now that he works for a security VAR. I am not sure what the Accuvant line card is on this though.  However, I do believe Michael would do nothing less than give us his honest opinion here.

So two issues:

1. Tipping Point, like it or not is part of 3Com.  A company that very much wants to be a player in the switch market.  Part of the reason they paid something like 17 times revenue  for Tipping Point was the idea of converging networking with security.  If as Michael says, they are late to the game and destined to be a 3rd rate player at best, I can understand the reluctance by the Tipping Point people to closely associate themselves with 3Com.  Maybe this is the real reason they want to pursue a strategy other than integrating the security into the switch and router.  They don't want to pull down their highly regarded IPS by marrying it to sub-par switches.  OK, I don't think Chris would argue this one and I think it is the crux of Michael's point.  My opinion is that Tipping Point has to get over themselves.  The long term prosperity and even the very survival of 3Com is tied into Tipping Points security business dragging up the 3Com switch business.  The sooner they get to it, the better off 3Com will be long term.  Frankly, I am surprised 3Com has not put their foot down on this sooner.  However, with a new CEO there from the switching side, maybe this will change soon.

2. What is a bump-in-the-wire security go for?  Here is where Chris and I disagree. When I talk about bump-in-the-wire security, I am talking about traditional IPS blocking.  You are either blocking the IP address, the port or actually dropping the offending packet that is triggering an attack alert.  Early IPS's did not have to be in line to do this, they relied on external firewalls to block.  The out of band IPS's however quickly were replace by the in line versions such as Tipping Point.  Of course this was fine when the only place you wanted IPS was at the border or perimeter. 

With the advent of internal IPS monitoring, multi-segment IPS became prevalent.  The reasons are many. One is what else are you going to do with that big honking box, if your line is only 10/100/1000?  Another is that you don't want to drop boxes as Chris says "willy-nilly across the network".  By having a big box that can handle multiple segments on your internal network you can cover the enterprise with just a few boxes, albeit ones that cost six figures each.  Yeah, Chris is right, this is best suited for big companies and carriers, but I am not going to hide behind that one here, so rest easy my friend.  My point is this whole paradigm is fine if all you are going to do is perform IPS.  When you move beyond that, there are scalability issues with bump-in-the-wire unless you are going to morph into a switch yourself.  Go ask ConSentry, Nevis, Vernier Networks and those guys.  They will tell you that having to sit in line (and this is what I mean by bump in the wire, whether in multi-segments or not), you are going to have scalability issues.  These companies pray every day that some switch vendor will buy them and move their technology into the switch. In the meantime they are designing their products to be a switch as well.  Call them security switches if you will.  Tipping Point is already owned by a switch vendor, they should be moving it into there.

As far as Tipping Point's latest, biggest, baddest box that they are going to show at RSA a year late, Chris you know as well as I do, that that is all about who has the biggest one, in a contest where at least in Tipping Point's mind, size does matter. 

As far as what StillSecure and working with switches today and tomorrow, you will have to wait a little while longer for our definitive word on this.  However, I will tell you that we have designed our products to have relevant parts work in a switch or router type of device.  Many of our partnerships with network vendors will explore this capability even further.

Bottom line Chris, is that bump-in-the-wire may be all right for IPS, but when you start moving into other network security functionality, being in line is a drag.

Michael Farnum, my friend from down Texas way, gives us his take on the Tipping Point - Brian Smith remarks about pursuing a bump in the wire approach to network security. Long and short of it is Michael feels somewhat responsible for the way he answered a customer response survey about if he would buy a Tipping Point blade on a 3Com switch.  Basically, Michael makes no excuse that he thinks 3Com switches for the enterprise suck and that he is not alone.  He would consider a Tipping Point blade on another company switch, just not 3Com.

I suspect that this is actually the Tipping Point guys point of view.  The ones I have spoken to are almost ashamed to be affiliated with 3Com and begrudgingly accept the 3Com name on their business cards, but call themselves Tipping Point still.  I say they weren't so proud and arrogant when they were taking the 400+ million dollars from 3Com were they.  Hey as far as I am concerned, the Tipping Point made a bargain and got paid for it too.  Now they have to live with it.  How is it in the best interests of 3Com to tolerate this.  Yeah, it may be short term positive for Tipping Point to disassociate themselves from 3Com, but long term it kills 3Com to not have a coherent, unified company.  If they can't leverage switch business with the Tipping Point stuff, they should just spin Tipping Point off now (don't laugh, I have heard rumors to that effect, but I suspect it is just wishful thinking by Tipping Point guys) and take the money and run.  I wonder if the tail is wagging the dog over there.

Was reading an article in SC Magazine tonight about some of the people speaking at this years RSA. It is a pretty impressive list with Colin Powell, Larry Ellison and Deborah Platt Majoras, the chairwoman of the FTC, all scheduled to speak. However, what caught my eye and got me thinking was news about what Brian Smith, co-founder of Tipping Point and chief architect of 3Com wants to talk about in his keynote speech.  From the article, here are the relevant parts:

"Brian Smith, the chief architect of 3Com and a founder of TippingPoint, says his first-ever RSA keynote will focus on integrating solutions such as network access control, intrusion prevention and behavioral anomaly detection to create an intelligent network.

"I can do all of these sorts of synergies and when you trace it out, what ends up happening is you're able to debug network problems that you were never able to do before, get an unprecedented level of security, and also lower the total cost of ownership," Smith says. "They have to talk to each other. If we can pull all of these solutions together, I think that's going to be the trend over the next five to 10 years. It's a natural evolution in the technology cycle."

Smith says he also plans to emphasize the benefits of the bump-in-the-wire network approach to deploying security solutions. Rather than embedding solutions into switchers and routers, Smith plans to suggest overlaying solutions to allow for a more converged, cheaper way to add intelligence to the network."

This just doesn't sit well with me and I have to put my two cents in. First off, I perfectly get the first paragraph.  The street is ripe with rumors of Tipping Point (funny how they don't say 3Com, you would almost confuse who bought whom over there) buying a NAC company (some customers our sales people have spoken to claim to have seen Powerpoint slides from Tipping Point to that effect). In addition to that, today they announced a partnership with Lancope, the behavior and anomaly based detection provider (I would say behavior based IPS, but they don't use that term anymore I think). So now that Tipping Point has the pieces, all of a sudden convergence and integration of security technologies instead of separate silos becomes the holy grail that they are on the verge of finding.  OK, better late to the party than never.

Where I feel the need to upchuck is around Brian's comments around emphasizing the bump-in-the-wire network approach rather than integrating with routers and switches.  Talk about missing the forest for the trees!  If you get that integration of security is a good thing, how do you miss the convergence of network with security?  Especially from a guy who last time I checked works for a large network vendor.  Do the Tipping Point people resent and hate their 3Com overlords so much that they refuse to see the natural evolution of converging security and network gear?  Has selling big-ass, honking ASIC boxes to do IPS for so long totally blinded them to virtualizing some of this stuff and putting it on blades and so forth inside the switch and network.  A bump in the wire security approach is so 2003.  Most of the guys who do the bump in the wire are trying like hell to move up the stack and the network to get away from the edge to the core.  You may be able to do IPS as a bump in the wire at the core if you have the horsepower, but you are going to be forced to the edge for other security stuff if you insist on bump in the wire.  Single point of failure, scalability and cost are just working against you. Eventually you have to turn to the switch. I just don't get where he is coming from here.

Hey, maybe it is a good thing.  I am pretty sure what I will be telling our sales team on how to position against Tipping Point after this one.  Unless of course sanity sets in and the 3Com folks give their Tipping Point children a little network religion.

I have been following the Sourefire IPO saga for some time now, literally since the Checkpoint deal was quashed and Team Marty announced they were going to IPO.  Like others here and here, I never thought that the IPO would actually happen.  I thought that someone would come in and snatch them up.  However, recently there has been some scuttlebutt about the potential liability from the Predator Watch/Net Clarity lawsuit hanging over the IPO.  Nick Selby over at the 451 Group wrote an article detailing the facts as they are known publicly here.  Then Dave Rosenberg questions how there can be IP questions when the source code is readily available for review.

I find Dave's comments frankly naive.  I don' t think the Predator Watch/Net Clarity law suit has anything to do with open source or a similarity in source code, but rather a similarity in functionality. Nor would a similarity in source code have anything definitively to do with the merits of the suit, unless the source code itself was copied, which is not the claim here I believe.  I think the claim is that the idea of how it works was what was allegedly divulged to Sourcefire. That being said though, I think Nick gives this suit more than its due. I think ultimately this suit amounts to little more than aneffort by a small business trying to cash in on someone else's success.  What is even more ironic about this particular tale is that the company doing the suing does not exactly have clean hands, as far as I can tell about using someone elses IP.  I think they still are using the Nessus scanner and NASL rule set in possible violation of the license for such as issued by Tenable Network Security.  There is a principle in law that a plaintiff should have "clean hands".  If that principle is applied here, Net Clarity's use of Nessus and NASL scripts could be construed as not having clean hands on the matter. Now they are calling in Checkpoint, to see if they found anything out about this in the due diligence for the aborted acquisition.  Sounds like a classic fishing trip to me and the court should stop this farce and waste of time and get to the facts of the case.

For a good look at a VC's view of this sort of issue, I know Brad Feld has written about why VC's don't sign non-disclosure agreements.  It is exactly for this type of situation.  I think the Predator Watch/Net Clarity people are going to find out that they are better off trying to build a business based on their products working better than the competition, than trying to beat them in the courtroom.

In a case of try, try again until you get it right, Checkpoint announced today that they have acquired NFR Security.  NFR is a long time player in the IDS/IPS market.  Frankly, they have been regulated to a 2nd or even 3rd tier status for some time.  Many people had wondered what was going to happen to keep the doors open at NFR and this answers that question.  From Checkpoints point of view, they obviously wanted to bring some IDS/IPS technology in house and this gives them something.  The question is what.  NFR has made some noise with their Sentavist IPS which combines some vulnerability detection and correlation with the base IPS.

With just 22 employees and little presence in the market, I don't think this is anyway near the impact type of acquisition the Sourcefire deal would have been.  But on the other hand they paid just 20m total here.  That seems really cheap!  Tells me that NFR did not have many alternatives or leverage, the revenue was not there and security companies are getting cheaper to buy.  I don't believe that last one, I think security companies that don't have a lot of revenue or strategic value are cheap, but quality always costs money.  Anyway, I don't think the government will hold deal this up.  The question will be as to how well Checkpoint integrates this technology into their products.  Only time will tell, but consolidation in the security market continues.