Re: How to choose an IDS/FW MSS provider

[Richard Bejtlich <taosecurity () gmail com>]

On Wed, 16 Mar 2005 18:08:12 -0500, Jason <security () brvenik com> wrote:
> The IPS cannot be _in_ the networks to be protected and must remain at
> the borders. This means that you can have systems compromised within the
> internal borders and still end up with a big mess. An IPS is a useful
> tool for mitigating nuisance issues and rapidly moving threats only if
> it can respond before those threats occur. In the case of witty it was
> the threat. What if those systems had been inline?
>
> Defense in depth is the key element and if you combine the FW and the
> Inline device or not you still have to monitor the networks to really
> know what is happening. 

Earlier Chris Harrington said "IPS / IDS down to the switch port is
where I see this heading."  I agree with him.  Routing and switching
products today offer access control via ACLs, firewall feature sets,
network-based application recognition (NBAR), context-based access
control (CBAC), and so on.

I also think Jason has a point.  The increased complexity of products
which formerly only routed and switched packets makes them targets in
their own right.  That is why I agree with Jason that products and
processes which take independent looks at network activity must remain
separate from those performing access control.  The single uber-box
that performs all network functions will be exceedingly complex and
will become attractive and easy prey for intruders.  People not
monitoring their routers and switches for indicators of compromise
will wish they had.

Richard
http://www.taosecurity.com

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------