RE: IPS (was: Sources for Extranet Designs?)

["Marcus J. Ranum" <mjr () ranum com>]

Stiennon,Richard wrote:
> Multiple methodologies to determine malicious intent. Usually includes signature, protocol anomaly, behavior and flow 
> capabilities. 

And since we've got you here....

Can you explain how these "signatures" and "protocol anomaly" detectors
and "behavior and flow capabilities" are going to NOT suffer all the problems
with false positives that caused Gartner to announce that IDS was a
failure?

 From your own definition, it sounds like you at least understand that
the functional mechanisms for detecting "malicious intent" are the
same in an "IPS" as they are in an IDS. So if you guys at Gartner
think IDS sucks because it can't do an accurate enough job of
detecting "malicious intent" I'd love to hear how you think it's going
to work better in an "IPS" when a false positive results in a dropped
connection.

I'm so glad you're monitoring this list - that way we can get the
explanation straight from the horse's mouth, as it were...*

mjr.

(* With apologies to my horse P-nut who doesn't read this list.
The expression "straight from the horse's mouth" means something
entirely different once you've spent some time with equines. You
should see what my white straw stetson looked like "straight from
the horse's mouth" the time P-nut played 'fetch' and 'tag' with it) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards