IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: need your help about IPS and IDS,thanks

From: "Stuart Staniford" <stuart () nevisnetworks com>
Date: Mon, 22 Nov 2004 08:51:11 +0530

Chris Peterson wrote


Lily, I think of IPS as IDS with the ability to take action.  Both IPS
and IDS have techniques for detecting malicious activity and most
commercial products use a combination:


I agree with everything Chris said.  There's just one point on the IPS/IDS
difference that I'd like to highlight because it often seems to get missed
in this particular recurring debate.  That's the issue of evasion
resistance.  An inline IPS has a much broader range of options open to it
because it can actually normalize the traffic.  Eg, if there are weird
overlapping retransmissions, the IPS can pick one and only allow that
through.  By contrast, an IDS that is not inline is forced to somehow deduce
(or guess) which one might have made it to the end-host and actually been
accepted (which tends to mean it needs a lot of information about the
end-hosts to really do a good job).

Stuart.  

Stuart Staniford, Principal Scientist
Nevis Networks
stuart () nevisnetworks com
408-327-4652



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: