Re: Is IDS/IPS worthless?

["Andy Cuff" <lists () securitywizardry com>]

Hi Andrew,
Lovely topic for the weekend !! What I have written below are just my
feelings on the subject, to help you keep them in perspective I should point
out that I'm very passionate about the use of IDS and IPS and feel similarly
annoyed at these recent opinions.  From what you have said you countered his
suggestions very well. I would only add what would the cost to the company
be if it were hacked.

IMHO IDS and IPS are not dead, quite the reverse, but in order to make them
useful they require a degree of continued investment and support.  In some
part the vendors are to blame for selling their product to organisations
where they know full well that they won't be supported, in order to make a
fast buck, (puts asbestos suit on). This is not always the case as I've had
some refreshingly pleasant experiences from certain vendors who genuinely
want to ensure that their products are optimised to the environment and
phone periodically offering free visits from their support staff !!!.
The organisations themselves are equally if not more blameworthy for
purchasing the products without fully investigating the issues surrounding
them.

With regard to the business case surely the business in question is
dutybound to assure the integrity of data relating to their customers, in
certain circumstances they are legally bound.  Now, the law does not dictate
what products should be in place to provide this assurance and PERHAPS there
is a case for network defense not requiring IDS/IPS to protect their network
because the other methods are so effective. In which case perhaps they will
use their corporate webpage saying "You Are Owned By......" to detect
intrusions, or the Wall Street Journal, it's not quite "near real time" but
highly effective in making those who you don't want to know, know about your
lack of investment in network security.  Stats always work well, has anyone
investigated and recorded the drop in share prices following an attack.  IDS
per se won't prevent these attacks but at least they may alert the business
to them having occurred and provide sufficient time to put a spin on the
event.  Anyone remember the recent defacement that turned out to be a
honeypot ;o)

I consider them essential in today's networks but I like the concept of
defense in depth to run very deep, however, if an IDS or IPS isn't
maintained correctly they can create more problems than they solve, as they
may lull the staff into a false sense of security.

just my 2 cents

-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message ----- 
From: "Andrew Plato" <aplato () anitian com>
To: <focus-ids () securityfocus com>
Sent: Friday, February 20, 2004 4:31 PM
Subject: Is IDS/IPS worthless?



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------