IDS mailing list archives
Re: Firewalls (was Re: IDS evaluations procedures)
From: Richard Bejtlich <taosecurity () gmail com>
Date: Mon, 18 Jul 2005 21:09:42 -0400
On 7/17/05, Devdas Bhagat <devdas () dvb homelinux org> wrote:
An IDS is not an attack prevention mechanism. An IDS is a tool to detect when your active attack detection mechanisms have been bypassed. An IDS is passive. It tells you what it can see, but it is not supposed to do anything to that traffic. Active elements are called firewalls, and firewalls include both packet filters and proxies.
Wow, I had almost given up hope that anyone else thought this way. Bravo Devdas. The "IPS is better than IDS" crowd ignores the fact that an IPS is another kind of firewall, not an "improved" IDS. In fact, you could argue the IPS is a step backward from a stateful layer 3/4 firewall in that the IPS inverts a proven security model. Good security (implemented on most firewalls) says "allow what policy says is authorized, deny all else." The IPS model says "deny what policy says is malicious, allow all else." Marty pointed this out a while ago and it has stayed with me. I think IPS is helpful when one needs to make granular access control decisions based on layer 7 traffic characteristics. However, large parts of the security community are still confused by a marketing person's decision to replace the letter "D" with a "P" in the I_S acronym. Thank you, Richard http://www.taosecurity.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS evaluations procedures, (continued)
- RE: IDS evaluations procedures THolman (Jul 13)
- RE: IDS evaluations procedures THolman (Jul 13)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- Re: IDS evaluations procedures Justin . Ross (Jul 17)
- RE: IDS evaluations procedures Omar Herrera (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)