Re: Security followup

[Andrew Plato <gilliankitty -at- yahoo -dot- com>]

"Decker Wong-Godfrey" wrote...

> Since I have a little bit of time now, I thought that it would be in the
> best interest of the list to respond to some of the misinformation in
> Andrew's last mail in this thread. 

Well if we're back to discussing concepts and not personalities, then I am all
game! 

> A heuristics engine doesn't make ISS any different from Snort. It simply
> uses the same patterns that Snort uses and tries to define new attacks
> based upon them. There is no inherent difference between the two. This
> means that the link that I posted earlier in this thread shows intrinsic
> problems with ISS's product. 

This is not true at all. The engines have many inherant differences.

1. The ISS BlackICE engine is primarily a sniffer or protocol analyzer. It
performs a full decode on traffic and applies heuristic checking at all levels.
Snort only does partial decodes and even then its protocol capabilities are
limited. 

2. Snort is HEAVILY dependent on its rule set which must be custom built by the
user. Sure, you can download rule sets off the Internet, but these must be
pieced together. The only way to effectively use Snort is to learn is rule
language. RealSecure, as well as most commercial IDSs, have automated signature
updating.

3. Snort is not very good with day zero attacks. Because Snort is heavily
dependent on its rule set, it is not always the most capable at detecting
variants of existing attacks. A protocol analysis based IDS can often pick up
variants because it keys on more fundamental problems and not just a pattern. 

4. Integrated management, trace file captures, session playback, TCP sniping,
the list goes on and on. 

Again, Snort is a perfectly capable IDS, but it is not the same as the
RealSecure engine. 

> > That is simply not true and I have the actual invoices and timesheets from
> > skilled UNIX engineers (not me) that would resoundingly prove you wrong. On
> > average, jobs with Linux systems take longer and cost more. 
> And when is the last time your engineers did an enterprise-wide roll out
> of Snort on all workstations? I'm not talking about a couple of
> machines, I'm talking about the ability to be running Snort on every
> machine. (That's what the open source licensing scheme allows you to
> do.) 

I cannot respond to specific customers or arrangements as that would be a
breech of confidentiality with my customers. But, I have cleaned up after at
least three or four enterprise Snort deployments (number one complaint -
management of consoles was a pain). We have also helped at least two customers
deploy Snort sensors. These worked fine until the sensors failed to pass an
audit from an external auditor (not my firm). The Snort sensors were ripped out
and replaced with ISS which did pass. 

> You probably don't know about the phenomenon of the "killer-app" yet.
> Once you learn more about Linux, you'll find that there are a number of
> projects that have no competition. The killer-app becomes the only
> application that is used for a certain purpose simply because it is far
> better than all the rest--providing for the needs of everyone in the
> community. It's not that there are no others, it's just that Snort
> offers more than anyone else. 

Snort offers a lot. Snort is very good for learning about IDSs and for simple,
one sensor deployments. But it is not the ideal tool for every environment. 
Just as a pliers can remove bolts, its not the best tool for bolt removal, in
all circumstances. But, when you have nothing else, a pliers can do the trick. 

As for the "killer app", I saw Cringely's "Triumph of the Nerds" on PBS also. 
Linux and the open source world have many great applications - Apache for
example. But the closed source world has a lot as well. The competition between
closed and open source is good. It makes for better products on BOTH sides. 

> One of the things you might learn about Snort is that one of its main
> strengths is it's ability to accept plugins. You've gone to great
> lengths to say that Snort itself doesn't do any of these things. You're
> right. Snort runs using the UNIX worldview. 

Which is a third party stuff that must be obtained, tuned, and managed
separately. It does nothing natively. 

> When you learn more about Linux and the UNIX way of doing things you
> might find out that Linux uses modular tools that work together. The
> smaller tools working together make for a much more powerful whole. 

Doesn't mean they are easier or more effective. 

> So no, Snort itself can't do any of these things, but Snort does allow
> other programs to do all of these things when they work in conjunction
> with each other. 

But that also dramatically increases administrative overhead. When you have to
manage 1000 servers, its not fun to have to troubleshoot 100 different
programs, each written and designed by different groups with no common
language. When 1000 servers must be managed by 5 people, you get really sick
and tired of having to fish around for solutions. Its easier, and more cost
effective, to purchase a complete package that already has all the features you
want integrated and ready to go. 

> As for "ease of set up," let me just give you an example of how hard it
> is to set up Snort on a user machine. I just installed Snort on a Linux
> machine down in Phoenix a few days ago (the funny thing is, I never had
> to leave Washington to do it). It took me all of 12 minutes to have a
> basic desktop configuration and all of the filters I wanted in place. 

Good for you. 

> Technical support: I guess we all know what a great resource mail-lists
> are. If you find that a mail list is a valuable resource, then you may
> find that Linux technical support far surpasses anything that can be
> offered by Microsoft. 

http:\\support.microsoft.com  

Type in a problem, an answer comes back in seconds. I've resolved thousands of
issues with that. Never once did I have to sift through countless newsgroup
postings or worse, listen to the incessant editorializing from some lunatic
about my choice of mail readers. 

> Integrated solution: Sounds more like a marketing buzzword than
> something ISS does that Snort/IPChains doesn't. What is "Integrated
> solution?" 

All features in one installable package. Pre-wired to work with management,
alerting, updating, etc. 

> Documentation: Good point. This is really where Linux is weak. This is
> really why it's such a good time to be looking at Linux if you're in the
> technical documentation field. 

Well, that makes a big difference to a group that must support these machines,
hire people, and train them. Its a lot harder to find skilled Linux engineers
who can truly manage a large deployment with skill and expertise. 

> A company's ability to make money using the open source business model
> has nothing to do with a company's economic vs. security needs. 
> Do you understand? I'm getting tired of saying the same thing over and over
> again. I'm not talking about any individual company's bottom line. It
> took an awful lot of cutting my words before you could produce that
> idea. 

What exactly are you saying? 

You stated earlier in this thread that "the economics of Linux are completely
irrelevant." Irrelevant to WHOM? 

If you are an IT manager, tasked with securing your infrastructure, the
economics (the costs & benefits) of a platform are extremely relevant. 

> It was dishonorable of you to manipulate my words into something they
> obviously weren't referring to. 

So what were you referring to. Explain it to me and stop calling me names. 

> > Time and computers cost money! And time is often the most costly of
> > commodities. 

> I was referring to the cost of software--look, it even says it. 

So if people are considering using Snort or Linux, the cost of the computers
and time to set it up isn't relevant. 

Using this same reasoning: why doesn't everybody drive a BMW or Mercedes vs a
Kia or a Honda. After all the Benz gives you the floor mats for free, but Kia
charges $25.00. I mean a Mercedes is arguably better designed then a Kia Rio.
So why would ANYBODY in their right mind drive a Kia Rio.

Oh yeah, a Mercedes costs $60,000 and a Kia costs $8500. But we're not talking
about the actual cost of the ENTIRE car. We're just talking about the floor
mats. In that case, get the Benz. The floor mats are FREE. Get that. FREE. As
in $0.00 zero dollars and zero cents! 

> Thank you again to all who have endured this long, unproductive thread.

According to the private emails I have received, some people have felt that
this was very productive. I agree. I think we've cleared the air on some very
interesting ideas. And established basic ideas like:

Open source is good, but not always the best solution for an environment.

Free software isn't free (computers cost money, time to set up costs)

Security is more complex than just a single product or technology. 

We've explored some of the technical underpinnings of IDS technologies. One
person replied to me and said she was never aware of the technical differences
in IDSs. She thanked me for the extended lesson in IDSs. 

I think its been very useful. Granted, it hasn't been about tech writing. 
However, I have argued against some of the things you said. So I could
understand how you wouldn't see this as productive. 

> I've become used to discussing things
> with people who actually care about the ideas rather than their ego.  

Pot, kettle, black. 

Andrew Plato


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot-  Visit
http://www.raycomm.com/techwhirl/ for more resources and info.