Re: IPS, alternative solutions

[Johann_van_Duyn () bat com]

Good point regarding the host based protection. Patrick Evans, MEA Manager 
for Symantec, once shared Symantec's view on intrusion prevention, and, in 
short, it goes something like this:

IPS is more than just inline or "active" IDS: it is a combination of 
technologies, people and processes that ensure that machines and the 
applications running on them are resistant to, able to recognize and able 
to recover from attack (anyone read Carnegie-Mellon's Survivable Systems 
Analysis papers lately... it's been around a while, but it's good stuff, 
and that's what I call real intrusion prevention). This means a 
combination of good practices, config and dev standards, gateway security, 
network security, host security and application security measures and 
measuring/auditing capabilities.

It's not a popular notion, though... the marketing types don't find it as 
sexy telling you to get your act together and do things the right way as 
they do telling you that they have one box that solves all your security 
problems. 

Using IPS is cool, but only if you're using it as a small cog in a larger 
security machine that makes sense as a complete protective system.

Just my R0.02. :-)

--------------------------------------------------------
J o h a n n   v a n   D u y n
--------------------------------------------------------





Daniel <deeper () gmail com>
14-09-2004 12:01

 
        To:     focus-ids () securityfocus com
        cc: 
        Subject:        IPS, alternative solutions




So far there has been a load of talk discussing which is the better 
technology. Personally i dont think IPS is ready for the big time. Yeah 
its great for small mum and dad networks, but for large financial networks 
with billions of pounds flowing across them, would you trust a technology 
to think and block what it seems as bad traffic?



So what are the alternatives?

I'd say more host based protection such as:



- Stack protection

- Application level firewalls (ModSecurity/SecureIIS)

- Host based firewalls



I'm interested to see what everyone else feels are alternatives to IPS


______________________________________________________________________
Confidentiality Notice: The information in this document and attachments is confidential and may also be legally 
privileged.  It is intended only for the use of the named recipient.  Internet communications are not secure and 
therefore British American Tobacco does not accept legal responsibility for the contents of this message.  If you are 
not the intended recipient, please notify us immediately and then delete this document.  Do not disclose the contents 
of this document to any other person, nor take any copies.  Violation of this notice may be unlawful.
______________________________________________________________________

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------