IDS mailing list archives
Re: Firewall vs. IPS
From: Richard Bejtlich <taosecurity () gmail com>
Date: Fri, 20 Aug 2004 22:05:15 -0400
It's funny this is being discussed now. Addison-Wesley [0] asked me to do a short article for an upcoming Dr. Dobb's Journal [1], so I cover this subject. I argue against "convergence" between products doing "detection" and those doing "protection." Too many people focus on detecting _attacks_ when really they should be detecting _failures in protection_ caused by poor access control, exposure of vulnerable targets, and misconfiguration. This means the IDS remains a network audit device doing detection, and all products which filter, scrub, manipulate, or otherwise stop traffic be accepted as access control devices (aka "firewalls") doing protection. You can't have the same device do both functions. It's like a guard without a security camera thinking he's doing a good job when an intruder's already slipped behind him. If any convergence should take place, it should occur within the detection market (signature/anomaly/flow/etc. network/host-based IDS) and separately within the protection market (XML/spam/SQL/etc. IPS/firewalls). Sincerely, Richard http://www.taosecurity.com [0] http://www.awprofessional.com/title/0321246772 [1] http://www.ddj.com -------------------------------------------------------------------------- FREE Network Security Webinar - How to implement IPSec security into VPN appliances New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection. Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. Register now: http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817 --------------------------------------------------------------------------
Current thread:
- Re: Firewall vs. IPS Richard Bejtlich (Aug 21)