Re: Security followup

Subject: Re: Security followup
From: Andrew Plato <gilliankitty -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Mon, 20 Jan 2003 22:08:13 -0800 (PST)


"Decker Wong-Godfrey" <dfgodfrey -at- milmanco -dot- com> wrote >

> Snort works just as well as any product from ISS, it's the interface
> that's different. Nothing more.

El wrong-o.

Snort is a pattern-recognition IDS with pre-processors. ISS is a protocol
analysis-based IDS with a complex heuristics engine. While they share some
similar capabilities, they are nothing alike.

There are other differences, as well as lots of other products.

I like Snort, Decker. There is nothing wrong with it. I run Snort boxes at the
office. Its great for learning about IDSs, playing around, and simple
deployments. Its just not the best solution for large-scale enterprise
deployments. Heck, even Marty (the inventor) would probably concede that
concept.

Moreover, ISS isn't the only product in this space. We haven't even started on
ManHunt, Dragon, NFR, the list goes on and on.

> You may find it hard to work with, but
> someone who knows how to code, or even someone who knows how to write a
> shell script can probably roll out an installation across all desktop
> workstations in about half the time it would take you to install ISS
> software on each machine in a large Windows domain. That time
> difference just goes up and up on the more workstations you have.

That is simply not true and I have the actual invoices and timesheets from
skilled UNIX engineers (not me) that would resoundingly prove you wrong. On
average, jobs with Linux systems take longer and cost more.

> For someone who knows Linux and Snort, it's a much better choice.

For somebody who uses Linux, its about the ONLY choice. ISS does have a server
sensor for RedHat Linux. I think Enterasys has one as well. I know Okena has a
UNIX agent, but I think its just HP UNIX, AIX, etc.

> And so, since you've stated yourself that the moderator hasn't said
> anything about the thread yet, why don't you go ahead and provide the
> relevant information. You keep making claims, appealing to authority,
> diverting the argument into finances... anything you can to avoid
> addressing the question. Does ISS provide anything that Snort/IPChains
> doesn't? You used the idea as a proof of security superiority, now you
> need to explain why.

Yes. I will give three examples:

Correlation: Most commercial products include correlation engines that can
correlate data across different systems and different types of systems.
Sourcfire also provides this. Snort does not, natively, have any such engine.

Dynamic response: Snort cannot dynamically make firewall configurations or
respond to events with anything other than traps, emails, etc. You need third
party, non-integrated software to do any of this.

Heuristic engine: Snort is essentially a pattern matching engine with a lot of
pre-processors. It is not, natively, able to decode protocols. RealSecure is a
native protocol analyzer - sniffer - and can natively decode 85 different
application and transport layer protocols. ManHunt decodes about 25, NFR and
Dragon are (last I heard) in about the same place.

> The thing is, you still haven't dealt with is the relevant question at
> hand: what does IPS do that Snort/IPChains doesn't?

Dynamic response. Enterprise configuration. Ease of set up. Technical support.
Integrated solution. Documentation.

> The economics of security issues is a completely different matter than
> the economics of open source. That wasn't even a good try, Andrew.

Oh no they're not. The two are deeply intertwined, and you should support that.
Because any decent IT geek is doing his ROI on commercial vs. open source when
considering ANY security technology.

And sometimes time open source has better ROI, especially at smaller places or
places with limited budgets and lots of brains (universities).

> So, now you want to talk about the economics of security issues. Well
> let's go. How much will it cost a company for the software to implement
> a Linux server with Snort and Snort's version of "IPS?"
>
> $0.00
>
> That's zero dollars and zero cents.

Very wrong.

That has to be run on a computer. Computers cost money. Somebody has to set it
all up. That means PAYING and employee or contractor to set it all up. Do you
work for free? I don't.

Time and computers cost money! And time is often the most costly of
commodities.

> How much will it cost a company to implement Anitian's latest security
> system--even without the good service of Andrew Plato?

We were doing fine until this.

You want to talk technology, capabilities, security issues - cool. You assault
my company or me personally, this discussion ends.

> To tell you the truth, Andrew, I was tired of this a long time ago. I
> know from reading your posts in the past you'll never stop. It doesn't
> matter what kind of reasoning I use, what evidence I give, you'll just
> divert the argument to something completely tangent to the topic, and
> then appeal to your "expert authority" as the only basis of reasoning.
> When things get rough, you resort to sophistry. I recognized that, but
> from the private e-mails I got, I saw that there were many who were
> interested in not only the topic, but just seeing someone that wasn't
> going to give in to your badgering.

Sigh...

There are a few people on this list that have serious emotional problems with
me any my opinions and therefore it does not surprise me that they would run to
encourage you. You're just another foot soldier thrown at the terrible two
Towers - Andrew's Ego and Andrew's Mouth.

Moreover, I will not tolerate this becoming a personal attack. I have tried to
explain concepts, describe ideas, discussion concepts, and be generally fair
about technical capabilities. I admit to grandstanding my skills and resorting
to some ego-boasting. I'm guilty of being narcissistic. But I never called you
names nor did I insult your employer.

Eric, I think its time to close the thread.

Andrew Plato

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

References:
Re: Security followup: From: Decker Wong-Godfrey

Previous by Author: Re: Security followup
Next by Author: Re: What to do about writing samples
Previous by Thread: Re: Security followup
Next by Thread: Re: Security followup


What this post helpful? Share it with friends and colleagues:


Sponsored Ads