Re: Security followup

Subject: Re: Security followup
From: Decker Wong-Godfrey <dfgodfrey -at- milmanco -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Mon, 20 Jan 2003 18:14:34 -0800



On Monday, January 20, 2003, at 12:13 PM, Andrew Plato wrote:


--- Decker Wong-Godfrey <dfgodfrey -at- milmanco -dot- com> wrote:

And what is the difference between an "in-line IDS and firewall
combination" and Snort/IPChains, PF, IPFilter, or any of the other
firewalls that Snort will dynamically configure? Neither you or ISS has
shown anything inherently different about the two (other than the
marketing).

Tell you what, build a Snort/IPChains dynamic system and put it out on the net
and I'll test it. To date, dozens of people have told me they can do exactly
what you claim, and not a single one of them has ponied up the instructions &
binaries to do it.

You're trying to avoid the question. What's the difference?



Gee, I wish you'd qualified your last post with all this information.
So, really, unless you're an enterprise level customer, you don't need
to customize Snort. Almost everyone can benefit from it.

Hardly. Snort is like long-division. A great way to learn about IDS and a great
solution for organizations that just want to play around and test out things.
But when you get serious about deploying IDS in a distributed enterprise, Snort
is really hard to work with. That doesn't mean it can't be done. But I think
most companies come to the conclusion that its better to go with a commercial
product, even a commercial Snort sensor like Sourcefire.

That said, its a trade off. Sure, Snort will work great in an enterprise. And
if you have the expertise to do it, then do it. But Snort is by no means the
"best" solution. It has numerous drawbacks. And any decent IT veteran would
know how to objectively analyze those drawbacks.


Snort works just as well as any product from ISS, it's the interface that's different. Nothing more. You may find it hard to work with, but someone who knows how to code, or even someone who knows how to write a shell script can probably roll out an installation across all desktop workstations in about half the time it would take you to install ISS software on each machine in a large Windows domain. That time difference just goes up and up on the more workstations you have.

Sure, I bet that for someone who only knows how to use Windows, Snort may have drawbacks. You want to get in, get out and get the most profit return for your time. You want to have all your clients working with the same tools (which happen to be the same tools you get the most money for retailing). Snort provides more capability and more customizability.

For someone who knows Linux and Snort, it's a much better choice.



How many enterprise-level customers do you have that want a drop-in
solution to their problems? They know that it's worth the time and
money to get what they want. The thing to think about here isn't that
the customization had to be done, but that it could be done at all; ISS
won't provide you or any of your contractors with the ability to
customize their code for your needs.

Sure they will. They provide me.

What exactly does this mean? They will provide Andrew Plato? And that is relevant in what way? Andrew Plato doesn't mean squat when you need to customize the system itself.


Well, since I've provided you with the evidence you're always asking
for, at least you could reciprocate. What makes IPS more than another
marketing buzzword?


That's a big, long discussion. This entire thread really isn't for TECHWR-L.


And so, since you've stated yourself that the moderator hasn't said anything about the thread yet, why don't you go ahead and provide the relevant information. You keep making claims, appealing to authority, diverting the argument into finances... anything you can to avoid addressing the question. Does ISS provide anything that Snort/IPChains doesn't? You used the idea as a proof of security superiority, now you need to explain why.



You can also read:
http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-ids/2002- 10/0118.html


Congratulations. I'm happy for your success rate. I'm sorry to say, but the linked e-mail does a lot of marketing and very little explaining.

The thing is, you still haven't dealt with is the relevant question at hand: what does IPS do that Snort/IPChains doesn't?

And if it doesn't do anything different, then the link I posted yesterday (the one that said Automated Intrusion Protection is worse than useless) is directly relevant to the issue.



Heh, that's funny coming from someone who has made money from the open
source business model. How do you think you were able to make
customizations to Snort and not be forced to release them to anyone
else but the enterprise customer who contracted you? That's how open
source works.

Oh sure, I've made money off open source. I've sold a lot of boxes that use
open source. But, I've also made a lot MORE money supporting Windows boxes.
Because there is a lot more of them to support.


You don't get it, do you. It's not the boxes you sell, its the ability to provide a service that open source provides. It's not a product, it's a service. Open source allows you, and allows everyone else here to provide a service to a client using the existing source code.



Think of software as a service, not a product and you'll be well on
your way to understanding how the open source business model works.

Isn't that EXACTLY what Bill Gates says? Trippy dude.

Isn't it funny that the next Microsoft licensing scheme is based upon this same idea? Except under Microsoft's new licensing scheme, who gets to provide the services?

Microsoft alone.




The economics of Linux are a completely irrelevant matter.

Oh God, no they are not! If you run a business or organization where revenue
(funding) and expenses are important, than the economics of open source are
critical. And security challenges are a cocktail of different, and sometimes
competing issues. Economics plays a huge role in security issues. Many
organizations cannot afford the kind of security that a big company can. As
such, they must make do with more creative solutions. Ones that take into
account not only funding, but also platforms, support, documentation -
everything.


The economics of security issues is a completely different matter than the economics of open source. That wasn't even a good try, Andrew.

If you want to talk about the financial interdependence of security and corporate economics, go ahead. That's not what you were talking about before though. Just incase you need a little reminder, the out-of context clip above was referring to the economics of open source. You stated that it wasn't possible for a company to make money with open source software.

So, if you want to quote me, go ahead, but at least do it in the context in which the statement was made. At least be honorable enough to address the issue rather than building up straw men to knock down.

So, now you want to talk about the economics of security issues. Well let's go. How much will it cost a company for the software to implement a Linux server with Snort and Snort's version of "IPS?"

$0.00

That's zero dollars and zero cents.


How much will it cost a company to implement Anitian's latest security system--even without the good service of Andrew Plato?


Hmm. Since I get something as good, or even better than the system Andrew is selling, I guess it may be in my interest to look into the open source solution.

But this is not about deploying a corporate infrastructure, and even if it was, I'd bet the total cost of operation over a five year period for a Windows system would far exceed a Linux system. I mean, the cost in labor alone for redeploying because the old OS is no longer supported by Microsoft is just like having to buy a whole new system. (Oh, and guess what, this version of ISS's software doesn't run on the newer version of Windows. Time to upgrade that too.)


And this is where this issue should interest documentation people. This type of
"multi-dimensional" problem solving is at the heart of any decent documentation
set as well as security initiatives. I consider my documentation skills the
most valuable resource in my security training because writing docs taught me
how to look at an issue from multiple points of view simultaneously. How to
analyze scenarios, see the bigger picture, and not fall victim to hype and BS.
And one of the reasons I push back on the open source community is because it
practices a rather typical form of hype.

I find it quite ironic that your last name is Plato. You use so much sophistry in your posts. There is no "multi-dimensional" problem solving going on here, there are some good debating tactics being used.


You haven't answered any of the questions posed to you. You've attempted to graft the economics of Linux with the security of a system with technical writing. You've even done a pretty good job of using sophistry to divert your reader's eyes away from the baffling logic it took to do that.

To tell you the truth, Andrew, I was tired of this a long time ago. I know from reading your posts in the past you'll never stop. It doesn't matter what kind of reasoning I use, what evidence I give, you'll just divert the argument to something completely tangent to the topic, and then appeal to your "expert authority" as the only basis of reasoning. When things get rough, you resort to sophistry. I recognized that, but from the private e-mails I got, I saw that there were many who were interested in not only the topic, but just seeing someone that wasn't going to give in to your badgering. Well, I'm done. I'm sorry but I have better things to do with my time than mince words with a sophist. If you want to continue discussing the issue, I'm all ears. Otherwise, just keep on trying to convince people that you know everything.

You know a lot. You don't know a lot about Linux. It shows. The issue is, and has always been the issue of security of Linux vs the security of Windows. Your opinion of Linux or Windows isn't going to change a thing. My opinion isn't either.

Over the next decade, we'll see exactly how things play out by watching much more powerful people and companies decide what is best for their organization. I'll tell you what though, riding on the coattails of one vendor is a dangerous thing, no matter whether you're in security or technical writing. Especially when the likes of IBM, Sony, Hitachi, and many many others have begun to turn to Linux.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

References:
Re: Security followup: From: Andrew Plato

Previous by Author: Re: Security followup
Next by Author: Re: Security followup
Previous by Thread: Re: Security followup
Next by Thread: Re: Security followup


What this post helpful? Share it with friends and colleagues:


Sponsored Ads