Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

[Jason Haar <Jason.Haar () trimble co nz>]

Tim Holman wrote:

> 2)  Problems with false positives, as by using pattern matching 
> signatures, there is always a chance that these patterns also appear 
> in valid traffic


Huh?? "IDS have false positives and IPS don't"??? Yeah - right.

The only way that statement could be true is if the IPS had zero rules 
loaded. One of the big differences between IDS and IPS is that an IDS 
allows you to run with riskier rules than an IPS. As an IPS blocks - any 
False Positive is a Bad Thing. A FP with an IDS is just another alert.

IPS tend to run with a fraction of the rules that an IDS uses. Try 
explaining to your HR Manager why your IPS just blocked the payroll 
server due to some half-assed antispyware rule. "Conservative" is a word 
to use WRT IPS.

> 3)  Management overheads.  An IDS can only be a reasonably effective 
> prevention method if there is someone on hand 24/7 to monitor logs and 
> take immediate action on intrusions.  Even then , the intrusion has 
> got in, as admins very rarely use the active blocking features of an 
> IDS (namely sending RST packets to kill connections, or modifying 
> upstream ACLs), as these are too likely to have an effect on valid 
> traffic


?? An IDS needs to be managed, but an IPS doesn't? Must be turned off 
then ;-)

> 4)  There is absolutely no protection for rate-based attacks (SYN, 
> TCP, UDP floods)

Yup - IPS have paid more attention to that alright.

> 5)  Without maintaining a L3/4 connection/state table, there is no way 
> an IDS can be truly stateful.  100% statefulness means that everything 
> from the initial SYN to the final RST/FIN packet of a connection is 
> stored in a connection table.  This requires the device to be INLINE, 
> and operating at L3.  This is the only way a protection device can 
> provide effective defence against L3 attacks.  An offline IDS cannot 
> do this.

??? IDS cannot be stateful??? Sorry - they can.

> I would recommend looking at IPS products instead, so something that 
> you can postion inline and get immediate value from.


I'd recommend an IPS with IDS functionality myself. Block what you are 
confident with, alert on the rest

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------