IDS mailing list archives
RE: [Securityfocus-focus-ids] IDS/IPS Value
From: "Remko Lodder" <remko () elvandar org>
Date: Wed, 25 Feb 2004 23:58:08 +0100
Hi, Read the text, made my opinion clear, correct me if i am wrong :) comments inline -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: securityfocus-focus-ids-bounces () lists elvandar org [mailto:securityfocus-focus-ids-bounces () lists elvandar org]Namens Chuck Jenson Verzonden: dinsdag 24 februari 2004 21:05 Aan: focus-ids () securityfocus com Onderwerp: [Securityfocus-focus-ids] IDS/IPS Value I don't know if this horse has been beaten to death yet so I will get out my stick: First of all, I work for NAI so I have to warn you I'm pro IPS. Knowing that: I read all of these posts (Is IDS/IPS Worthless?) and either I'm missing the point or have incredible insight, but it seems to me that the IDS is strictly an information gathering tool for you to tune your firewalls (Host or Network Based). ===> Untrue, http traffic is most of the times passed => cannot tune your firewall for global http access. But you can see, hey an perl execute attempt, damn it succeeded lets upgrade our OS since it's nearly 2 years old.... Using an airplane analogy this time, IDS is like the black box on the plane, it didn't stop that crash, but it can help you keep the next plane from crashing in the same manner. ==> You can see bogus traffic, and prevent the crash if you are on time.... Since it can take a scan and some other predefined stuff before the launch .. you are able to react on it.. IPS is more like the stall sensor, it warns you at first, but then attempts to take corrective action. ==> IF it's defined. The problem lies in when the sensor thinks there is a stall when there really isn't (False Positives).
From my experience at NAI (only since November mind you), my belief is that
IPS has to be an evolution of the IDS solutions, you can prevent what you can't detect. ==> IDS/IPS both rely on Signatures, so a hacker needs to write them (no other persons since they might not know systems indepth, perhaps even crackers ..) IPS is another form of IDS in my opinion, IDS can take action upon signatures, so does IPS. Right now there is no single solution that fixes everything, but you can put together a combination of HIPS, NIPS, AV and AntiSpam to make your network tough on the inside and out. It sure ain't plug n play either! I'm in the process of trying to create a course in IPS methodologies and unless you have more money than Trump, you have to make some serious decisions on what, when and where to protect. With all that said, I would like to solicit your opinions on how to get the best bang for the "buck" on IPS solutions. I'm not looking for product references, but things like why would you put a HIPS solution in one part of the network instead of NIPS? Or is AV & AS good enough in some places? Would you use HIPS or NIPS to protect yourself from internal attackers? Be warned, if it's good, I will steal it, reference you and teach as many people as I can about it<Grin>. ==> :) Cheers. Thanks! Chuck Jenson, MCSE, CCNA, CISSP and all that other Cr*p Views are my own and not necessarily of my companies --------------------------------------------------------------------------- --------------------------------------------------------------------------- _______________________________________________ Securityfocus-focus-ids mailing list Securityfocus-focus-ids () lists elvandar org http://lists.elvandar.org/mailman/listinfo/securityfocus-focus-ids --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: [Securityfocus-focus-ids] IDS/IPS Value Remko Lodder (Feb 26)