Sorry, Andrew, but I have do disagree. Each one of the IPSes you mentioned has its own approach and its own engine. This means different products are doing almost the same thing. I said almost because we can see that some of them moved forward to apply better protection mixed with better performance. What I saw, and am still seeing, is that some of them try to differentiate themselves using shared memory with multiples x86 CPUs (ISS & Sourcefire) and FPGAs with ASICs (Tippingpoint and McAfee).
I am not assuming that this is better than that, the real thing is that if you can do something really good to protect against threats, so you are doing great. The point in this thread is that 5 years ago almost all of them got good results and now just one (I am not considering "that one" which got worse results than TP) got a really bad result. Times changes and in this case something changed in a bad sense. Real world threats can be simulated in lab environment, that is proofed in all security conferences we see nowadays. No one can proof something without test in lab, and if you get the NSS methodology you will see that the procedures and tests are really great to perform a score of good or bad IPS. So, what is the big deal if one of the IPS players got bad results? They will keep the marketing staff working hard to rise their market share anyway... I can tell you, based on my 8 years working and researching deeply the IPS world, that there are a lot of IPSes vulnerable to "one-to-four bytes" evasion techniques. And I am not talking about "black magic"... I am talking about really easy ways to do different things in different manners. /* * $Id: signature,v 1.2 2009-12-03 11:23:42-02 nbrito Exp $ * * Nelson Brito / Security Researcher / fnstenv.blogspot.com * Copyright(c) 2009 Nelson Brito <nbrito[at]sekure[dot]org>. */ > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Andrew Plato > Sent: Thursday, December 10, 2009 3:52 PM > To: '[email protected]' > Subject: RE: Re: I love the smell of whining in the morning... > > While NSS is a good organization, I have to wonder about a test that would > rate TippingPoint so poorly and SourceFire and ISS so positively. My > experience has been that while all are capable products, SourceFire and ISS > take a LOT of effort to make them effective while TP, comparatively, takes > much less effort. The article even mentions that fact, that Sourcefire took > a lot of tuning. And having worked with all of these IPS, I have found that > TP, SourceFire, ISS and McAfee are all pretty much the same in terms of > effectiveness. > > This is also odd, since a few years ago, NSS was giving TP glowing reviews. > From 2004, NSS wrote: > > "Overall the performance of UnityOne is very impressive, combining near- > perfect security effectiveness with latency close to that of a layer 2 > switch...we also found UnityOne to be very stable, surviving our extended > reliability tests without missing a beat, and without blocking any > legitimate traffic or succumbing to common evasion techniques." > > That is from their report in January 2004. Okay, that was 5 years ago, > times change. > > One thing that always concerns me about these tests is the fact that they > are laboratory-style tests and not real-world tests. Merely stopping an > attack only one measure of effectiveness for an IPS. These devices must be > made operational in a IT department. And they must integrate with other > procedures, practices and devices. This is something a lab test cannot > uncover. > > Andrew Plato, CISSP, CISM, QSA > President/Principal Consultant > Anitian Enterprise Security > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Wednesday, December 09, 2009 6:21 AM > To: [email protected] > Subject: Re: Re: I love the smell of whining in the morning... > > This is what TP is referring to: > > http://www.networkworld.com/news/2009/120709-ips-tests.html?hpg1=bn > > I have seen the full report and it is fair to say that TP did very poor > compared to the competition. This is really no surprise for those of us > close to the industry who understand TP's heritage and approach. exploit > driven coverage with limited evasion capabilities wrapped around a pretty > UI is a recipe for security by obscurity. Well, at least they beat out > Juniper :) > > Oh and NSS is probably the best and most neutral IPS testing body out there > by far. This particular report is 100% independent and extremely > comprehensive (the best I've seen to date) and includes coverage, > performance, Evasion, and various TCO rankings. I *highly* recommend you > obtain the report if you are interested and have the money to do so... > > ----------------------------------------------------------------- > Securing Your Online Data Transfer with SSL. > A guide to understanding SSL certificates, how they operate and their > application. By making use of an SSL certificate on your web server, you > can securely collect sensitive information online, and increase business by > giving your customers confidence that their transactions are safe. > http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f > 194 > > > > > > > > ----------------------------------------------------------------- > Securing Your Online Data Transfer with SSL. > A guide to understanding SSL certificates, how they operate and their > application. By making use of an SSL certificate on your web server, you > can securely collect sensitive information online, and increase business by > giving your customers confidence that their transactions are safe. > http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f > 194 ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
