IDS mailing list archives
RE: IPS comparison
From: "Zahir, Rubayat" <rubayat.zahir () csfb com>
Date: Fri, 2 Sep 2005 17:50:01 +0100
Good Day Everyone, IDS/IPS has gotten much better in the industry, and sophisticated; Agreed, but so has attacks and vulnerabilties which has been the primary driver for their enhancement. In any event, my point to all was, IDS and IPS are great, as long as you have continuity in maintaining and monitoring them. My recommendation to all is to continuously scan the network and learn new attack methods, because new penetration tactics performed by hackers are devised to bypass your IDS/IPS. Especially if you look the codes and instructions of the codes and modification capabilities of those codes which allow you do so easily. Additionally, my example may have been outdated, but the technical facts still apply to modern attacks on the network. The mere thought of defending any single product for protecting/detecting attacks on one's network is an example of faulty thinking on one's part. IDS/IPS from any vendor cannot and will not be full proof ever. Most firms use them to reduce risk. But key is to make sure you monitor the tools and have a dedicated staff to react to any major attacks and have a firm incident response procedure and team. Most importantly, where did you place your sensors is the key to architecting your IDS. You will be surprised, how thats done wrong. Thanks. Sincerely yours, Rubayat M. Zahir -----Original Message----- From: James Williams [mailto:jwilliams () mail wtamu edu] Sent: Friday, September 02, 2005 9:20 AM To: Rubayat.Zahir () csfb com; focus-ids () securityfocus com Subject: RE: IPS comparison If you haven't used the Cisco IDS/IPS solution recently, maybe you should. It's been greatly improved over the last couple of years. Also Cisco DOES have IPS solutions that you can put on servers and on the desktop that support Windows, Linux, and Solaris and they are working on a Mac client, so I've been told. Take a look at the Cisco IPS 4200 series appliances as well as Cisco CSA and Cisco Clean Access. Your facts are a bit misconstrued based on where the IDS/IPS market was a couple years ago. I'm pretty sure that ALL products in the IPS/IDS market have made huge leaps and bounds on how their product operates. Code Red & Nimda were both worms from 2000/2001 when IPS technologies were much younger technologies, whereas Slammer happened in early 2003. In technology that's a lifetime of growth and maturity. Most IPS vendors are using behavior based metrics to determine what an attack is and what isn't. That make's it much easier for vendors to help mitigate zero day attacks. The Cisco CSA blocked Blaster and the more recent Zotob without any updates. It simply saw a behavior that wasn't normal and blocked it. On my personal computer at my house I personally use Prevx. So far it's turned out to be a great product. I've installed it on a fresh install of a Windows XP computer and put it on the Internet unprotected and it blocked all the known worms, such as blaster that reeked havoc for many universities and companies in august of 2003. Anyways, All I'm trying to say is that the IDS/IPS industry has gotten much better at what they do best and I think allot of the material that you are basing your comments off of are from at least 2 years ago. James Williams, GISF Network Systems Technician -----Original Message----- From: Rubayat.Zahir () csfb com [mailto:Rubayat.Zahir () csfb com] Sent: Thursday, September 01, 2005 1:40 PM To: focus-ids () securityfocus com Subject: IPS comparison IPS/IDS can claim all they want on Zero Day exploits. I can assure you its a player's luck. I had client during my Big X career who were saved by ISS on SQL Slammer, and hit hard on Nimda and Code Red. Its really a players luck. All IDS/IPS require full customization to your environment (i.e. Applications, Code, Platforms etc.). Second of all, based on the patterns I have seen, it is truly a variance among vendors (ISS, Enterasys, Cisco, Snort, etc.). Lastly, the best of all IDS's are ones that has the capability to perform attack correlations. Some IPSs are software (e.g. those from Computer Associates, McAfee, Snort) that you run on your own servers (which may be Windows and/or Linux-based), while others are dedicated appliances (including SonicWALL, McAfee, Juniper and Cisco). Your company may have a policy that limits you to one type or the other. To be frank, In many cases, IDS and IPS it's the same piece of kit, that's just been re-categorised by the vendors - protection seems an awful lot more marketable than just detection (especially if a detection system just writes an alert to a log file that you only get a chance to look at once a week). ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================== ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IPS comparison Rubayat . Zahir (Sep 01)
- <Possible follow-ups>
- RE: IPS comparison Joseph Hamm (Sep 02)
- RE: IPS comparison James Williams (Sep 02)
- RE: IPS comparison Zahir, Rubayat (Sep 02)
- Re: IPS comparison Frank Knobbe (Sep 05)
- Re: IPS comparison Adam Powers (Sep 07)
- Re: IPS comparison Sanjay Rawat (Sep 08)
- Re: IPS comparison Frank Knobbe (Sep 09)
- Re: IPS comparison Sanjay Rawat (Sep 12)
- MIT Darpa Dataset, Wilmar SULAIMAN (Sep 19)
- Re: MIT Darpa Dataset, Sanjay Rawat (Sep 21)
- RE: IPS comparison Seek Knowledge (Sep 07)
- RE: IPS comparison Frank Knobbe (Sep 08)