Re: Security followup

Subject: Re: Security followup
From: Decker Wong-Godfrey <dfgodfrey -at- milmanco -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: 25 Jan 2003 20:07:18 -0800


Since I have a little bit of time now, I thought that it would be in the
best interest of the list to respond to some of the misinformation in
Andrew's last mail in this thread. To all of you who have had this
wandering discussion fill up your in-boxes, and couldn't care less, I am
sorry.

> Snort is a pattern-recognition IDS with pre-processors. ISS is a protocol
> analysis-based IDS with a complex heuristics engine. While they share some
> similar capabilities, they are nothing alike.
>
A heuristics engine doesn't make ISS any different from Snort. It simply
uses the same patterns that Snort uses and tries to define new attacks
based upon them. There is no inherent difference between the two. This
means that the link that I posted earlier in this thread shows intrinsic
problems with ISS's product.

> There are other differences, as well as lots of other products.
>
> [Snort is] just not the best solution for large-scale enterprise
> deployments. Heck, even Marty (the inventor) would probably concede that
> concept.
>
Since Marty uses the same engine behind his enterprise deployments, I'm
sure he'd be glad to find that out.


> > someone who knows how to code, or even someone who knows how to write a
> > shell script can probably roll out an installation across all desktop
> > workstations in about half the time it would take you to install ISS
> > software on each machine in a large Windows domain. That time
> > difference just goes up and up on the more workstations you have.
>
> That is simply not true and I have the actual invoices and timesheets from
> skilled UNIX engineers (not me) that would resoundingly prove you wrong. On
> average, jobs with Linux systems take longer and cost more.
And when is the last time your engineers did an enterprise-wide roll out
of Snort on all workstations? I'm not talking about a couple of
machines, I'm talking about the ability to be running Snort on every
machine. (That's what the open source licensing scheme allows you to
do.)

You did read the post you're responding to, right?


>
> > For someone who knows Linux and Snort, it's a much better choice.
>
> For somebody who uses Linux, its about the ONLY choice. ISS does have a server
> sensor for RedHat Linux. I think Enterasys has one as well. I know Okena has a
> UNIX agent, but I think its just HP UNIX, AIX, etc.
>
You probably don't know about the phenomenon of the "killer-app" yet.
Once you learn more about Linux, you'll find that there are a number of
projects that have no competition. The killer-app becomes the only
application that is used for a certain purpose simply because it is far
better than all the rest--providing for the needs of everyone in the
community. It's not that there are no others, it's just that Snort
offers more than anyone else.
> > Does ISS provide anything that Snort/IPChains
> > doesn't? You used the idea as a proof of security superiority, now you
> > need to explain why.
>
> Yes. I will give three examples:
>
> Correlation:
> ...
> Snort does not, natively, have any such engine.
>
> Dynamic response: Snort cannot dynamically make firewall configurations or
> respond to events with anything other than traps, emails...
> Heuristic engine: Snort.. is not, natively, able to decode protocols.
One of the things you might learn about Snort is that one of its main
strengths is it's ability to accept plugins. You've gone to great
lengths to say that Snort itself doesn't do any of these things. You're
right. Snort runs using the UNIX worldview.

When you learn more about Linux and the UNIX way of doing things you
might find out that Linux uses modular tools that work together. The
smaller tools working together make for a much more powerful whole.

So no, Snort itself can't do any of these things, but Snort does allow
other programs to do all of these things when they work in conjunction
with each other.

>
> > The thing is, you still haven't dealt with is the relevant question at
> > hand: what does IPS do that Snort/IPChains doesn't?
>
> Dynamic response. Enterprise configuration. Ease of set up. Technical support.
> Integrated solution. Documentation.
>
Dynamic response is exactly what Snort/IPChains does. That's the whole
purpose.

Since you have said that your own UNIX engineers have done an
"enterprise configuration," I don't understand what you're saying.

As for "ease of set up," let me just give you an example of how hard it
is to set up Snort on a user machine. I just installed Snort on a Linux
machine down in Phoenix a few days ago (the funny thing is, I never had
to leave Washington to do it). It took me all of 12 minutes to have a
basic desktop configuration and all of the filters I wanted in place.

Technical support: I guess we all know what a great resource mail-lists
are. If you find that a mail list is a valuable resource, then you may
find that Linux technical support far surpasses anything that can be
offered by Microsoft.

Integrated solution: Sounds more like a marketing buzzword than
something ISS does that Snort/IPChains doesn't. What is "Integrated
solution?"

Documentation: Good point. This is really where Linux is weak. This is
really why it's such a good time to be looking at Linux if you're in the
technical documentation field.


> > The economics of security issues is a completely different matter than
> > the economics of open source. That wasn't even a good try, Andrew.
>
> Oh no they're not. The two are deeply intertwined, and you should support that.
> Because any decent IT geek is doing his ROI on commercial vs. open source when
> considering ANY security technology.
>
A company's ability to make money using the open source business model
has nothing to do with a company's economic vs. security needs. Do you
understand? I'm getting tired of saying the same thing over and over
again. I'm not talking about any individual company's bottom line. It
took an awful lot of cutting my words before you could produce that
idea.

It was dishonorable of you to manipulate my words into something they
obviously weren't referring to.

> > So, now you want to talk about the economics of security issues. Well
> > let's go. How much will it cost a company for the software to implement
> > a Linux server with Snort and Snort's version of "IPS?"
> >
> > $0.00
> >
> > That's zero dollars and zero cents.
>
> Very wrong.
>
> That has to be run on a computer. Computers cost money. Somebody has to set it
> all up. That means PAYING and employee or contractor to set it all up. Do you
> work for free? I don't.
>
> Time and computers cost money! And time is often the most costly of
> commodities.
I was referring to the cost of software--look, it even says it.

You did read the post you're responding to, right?

And let me just paste-in the rest of this idea (you remember, that part
you cut that was just after the clip above). I'm reposting my same words
because I already dealt with this issue before you even responded.

>> But this is not about deploying a corporate infrastructure, and even
>> if it was, I'd bet the total cost of operation over a five year
>> period for a Windows system would far exceed a Linux system. I mean,
>> the cost in labor alone for redeploying because the old OS is no
>> longer supported by Microsoft is just like having to buy a whole new
>> system. (Oh, and guess what, this version of ISS's software doesn't
>> run on the newer version of Windows. Time to upgrade that too.)


Thank you again to all who have endured this long, unproductive thread.
Since I have invoked the magic mail filter (my computer sends all mail
which contains a certain name, or certain e-mail address right where it
belongs--and techwr-l is a much nicer place for it), I expect this to be
the last e-mail I'll send on this subject, even if there is a response.
My apologies to you all that I had to clumsily attempt pinning down this
discussion (so it might be something helpful), rather than actually
discussing anything; silly me, I've become used to discussing things
with people who actually care about the ideas rather than their ego.




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



References:
Re: Security followup: From: Andrew Plato

Previous by Author: Re: Security followup
Next by Author: Calling HTML Help Compiler in ComponentOne Doc-To-Help 6?
Previous by Thread: Re: Security followup
Next by Thread: Re: Security followup


What this post helpful? Share it with friends and colleagues:


Sponsored Ads