The Ashimmy Blog: Are IDS/IPS's becoming the next birds?

June 13, 2006

Are IDS/IPS's becoming the next birds?

What happened to the dinosaurs? Even my little 4 year old son will tell you that they turned into birds. The same might be happening to IDS/IPS. They are turning into UTM's or post-admission NAC solutions. Could the day be far off when stand alone IDS/IPS's are no more? If you read the recent SC Magazine IPS group test, the recommended product was actually an add-on to a firewall. Tipping Point and Juniper are combining firewall with IPS functions and companies like Fortinet, Astaro and Crossbeam, all sell IPS combined with other security functions. The move to UTM seems deep and well established. Even the granddaddy of IDS, ISS now markets an entire Proventia suite, of which IPS is only a part.

The other evolutionary move is not quite as obvious, but in full force never the less. That one has IPS/IDS becoming a post-admission NAC technology. The latest to jump on this bandwagon appears to be Sourcefire, with its RNA 4.0 becoming "the worlds first automated, real-tme network compliance solution". So what they are really saying is, that instead of just alerting and dropping packets of malicious activity, as they have done with their product for years, it is now an endpoint compliance solution, that will stop that endpoint from putting malicious traffic into the network, thereby enforcing your policy against malicious traffic. OK that is a bit circular. Sounds like the same damn thing to me with the word policy wrapped around it. They are going to find people putting bad stuff on the network or vulnerabilities they can detect passively. But how do they find out what .dat file your anti-virus is running, what your windows security settings are, macro settings, what personal firewall you have on? I don't know people buy into calling this endpoint compliance, policy compliance or NAC solutions. But they claim real time protection. What does real time mean to you? To me it means, you are going to test and quarantine a device before it comes on a network and does harm. In a post-admission NAC solution, that is impossible. Sourcefire's RNA won't know a device is on the network, until it is on the network.

Let me not single out Sourcefire, they are not alone in this approach to post-admission NAC. There are other NAC companies out there who had failed IPS business models who have jumped on the NAC bandwagon as well. One CEO told me that though they used to market themselves as an IPS, they were always a NAC, just misunderstood. It actually makes sense that you can use IDS, IPS and vulnerability management for post-admission NAC. I think you will see more and more of this as time goes by. So, next time you look under the feathers of your UTM or post-admission NAC solution be careful, you may just find an old IPS there.

Posted at 05:09 AM in IDS/IPS, NAC, other security companies, StillSecure stuff | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d8345d51c269e2

Listed below are links to weblogs that reference Are IDS/IPS's becoming the next birds?:

» Perimeter defense - Tastes like chicken! from Security Incite: Analysis on Information Security
I was intrigued by Alan Shimels post this AM (link here) about the inevitable morphing of IDS/IPS into something else. The metaphor he uses is the dinosaurs evolving into birds. I thought dinosaurs were extinct, but thats why I studied engineeri [Read More]

» IDS/IPS - Finger Lickin' Good! from Rational Security
So, the usual suspects are at it again and I find myself generally agreeing with the two wisemen, Alan Shimel and Mike Rothman. If that makes me a security sycophant, so be it. I'm not sure, but I think these [Read More]

Comments

Lijit Search

disclaimer

The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.