IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Tue, 21 Mar 2006 20:40:19 -0800
Much of the rhetoric and push for deploying IPS devices that are available seems to come from Marketing and Sales people, not Security professionals. Which is why I am reaching out to you, your experiences and your thoughts surrounding this issue.
Well, I am a security professional, and I am very much sold on IPS. I can answer some of your issues: 1. Immature Technology IPS is far from immature. The first in-line IPS was BlackICE Guard. I installed one of the first in late 1999. And all of the decent IPSs on the market have roots in IDS, which is many years older. IPS is at least 7 years old and at best 10 or more. In technology terms, that's mature. Consider anti-spam technologies. They basically did not exist in 1999. Now, everybody has some kind of spam control. Is anti-spam a mature technology? 2. False Positives This is ultimately an issue of tuning. If you think you're going to drop an IPS inline, slap some rules on it, and never touch it again - you shouldn't be getting an IPS. A well tuned IPS can be pretty lean on false positives. And frankly, what is worse - a few POSSIBLE disruptions due to false positives, or getting hacked and 0wn3d and losing your business. Moreover, IPS can dramatically reduce the number of events that require incident response. With an IPS, when you see a really nasty alert, you can take note and move along, because you know the IPS blocked it. This allows you the freedom to analyze more subtle attacks or problems. Also, I think the DOS angle is WAY overhyped. Its frankly a weak excuse. If you consider that almost every switch and router on the market has plenty of DOS weaknesses, then an IPS really isn't much different. The DOS fears also stem from the idea that somebody could feed your IPS internal addresses and hence block normal traffic. Even with the most rudimentary router ACLs you can ensure this never happens. 3. Firewalls Firewalls are not IPSs. All the firewall vendors, especially the big ones, are clamoring all over themselves to repaint themselves as "security appliances." Even application firewalls, of which there are few, rarely are good at true IPS functions. The fact is, firewalls are good at one thing - access control. Detailed protocol analysis and filtering is not what most firewalls were built to do. And any firewall that has added this feature, has done so merely to be competitive in the market. I cannot think of any firewalls that were built from the ground up to be both a good firewall and a good IPS. Firewalls, should be left to do what firewalls do best - access control. Leave the packet inspection to a dedicated system. IDS Dead? IDS may not be dead, but its value is diminishing. While there is a place for IDS in some environments, I fail to see why anybody would get a passive defense when active defenses can be deployed to function in a passive manner. An active system that is deployed passively at least gives you the option to switch to active mode later. Moreover, the value of an IDS diminishes even more if you lack in-house analytical capabilities. The unexamined IDS is not worth having, to paraphrase good old Socrates. These are, of course, my opinions. And naturally, I have a vested interest in people buying more IPSs - because I sell them. _____________________________________ Andrew Plato, CISSP, CISM President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: watsont [mailto:thomas.watson.b () bayer com] Sent: Thursday, March 16, 2006 11:56 AM To: focus-ids () securityfocus com Subject: IDS vs. IPS deployment feedback _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs. IPS deployment feedback watsont (Mar 20)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 23)
- <Possible follow-ups>
- RE: IDS vs. IPS deployment feedback Carey, Steve T GARRISON (Mar 21)
- Re: IDS vs. IPS deployment feedback nightelfhunter (Mar 21)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 23)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Mar 27)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Mar 27)
- Re: RE: IDS vs. IPS deployment feedback xris375 (Mar 27)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 28)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 31)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: RE: IDS vs. IPS deployment feedback xris375 (Mar 30)
- Re: RE: RE: IDS vs. IPS deployment feedback Sanjay Rawat (Mar 31)
- Re: Re: RE: RE: IDS vs. IPS deployment feedback trashcanmn (Mar 31)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 31)