IDS mailing list archives
Re: IDS vs. IPS deployment feedback
From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 13 Apr 2006 19:27:51 +0200
Andrew Plato wrote:
experience. Dropped packets happen when people try to ram 1000mbps through an IPS rated at 200Mbps.
Really ? And how is the thing "rated" in the first place ? Throughput depends on service time. Service time in a router is of very limited variability, in a firewall may very, in a complex thing such as an IDS/IPS it varies wildly, depending on the traffic mix. So, you should specify WHAT TRAFFIC the IPS is being validated and measured on. Something that most companies won't do.
They simply do not have the time or resources to baby an IDS and perform intricate security analysis.
And so they have the resources to put in-line an unknown device which needs tuning and which could cut off, accidentally, customers from revenue generating services ?
And complex IDSs that generate 10000s of alerts and stop nothing are quickly ignored when the staff gets busy.
Instead, when each of those false alerts turns into a lost customer, no one complains. That's right :)
This is just false. Firewalls and IPS assume much different things. A firewall is a static set of rules that say what is allowed and what is not allowed. That's it.
A misuse-based IPS is exactly the same thing. There's actually no difference.
An IPS, on the other hand, lets everything through unless it does something that it knows is bad.
Aha ! GREEEEEEEEEAT IDEA ! One of the BESTEST in computer security ! BLACKLISTING ! Slide 1 of "Perimeter security 101" course: always begin from default deny and WHITELIST. Look it up on the CISSP books, Andrew, it's in there somewhere, I'm sure :)
that is exactly what and IPS does. It can look at a stream and say: "its HIGHLY unlikely that this gargantuan binary package in the middle of a ISAPI call is normal, so I am going to block it."
This is what a good anomaly based, intelligent IPS would do. Unfortunately, there's a shortage of good anomaly based IPS products out there :) Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
- Re: IDS vs. IPS deployment feedback Thomas Choi (Apr 18)