IDS mailing list archives
Re: RE: IDS vs. IPS deployment feedback
From: xris375 () gmail com
Date: 23 Mar 2006 19:51:40 -0000
1. Immature Technology IPS is far from immature. (snip)
Its's more to technology maturity than just time. It must have been in used as well :) And it hasn't really been used afaik on a larger scale for the last two years or so.
2. False Positives This is ultimately an issue of tuning. (snip)
As far as I am concerned there isn't much difference between IDS and IPS in the number of false positives.
If you think you're going to drop an IPS inline, >>slap some rules on it, and never touch it again >>- you shouldn't be getting an IPS. (snip)
Or an IDS for that matter...
And frankly, what is worse - a few POSSIBLE >>disruptions due to false positives, or getting >>hacked and 0wn3d and losing your business.
I for one worry more about downtime than getting hacked. If I am are well organised, patched and secured in depth, the possibility for getting hacked is very low. A 'leet hacker would probably operate under a IPS/IDS detectonrange anyway.
With an IPS, when you see a really nasty alert, >>you can take note and move along, because you >>know the IPS blocked it.
BEFORE you add an rule to your IPS/IDS you patch for the vulnerability it detects and /or make sure it doesn't pass your firewall. Then you don't need any IPS to block it.
Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak excuse.
By adding IPS, you open up for DoS attacks that was not there before. Why increase risk when you really do not have to ? Imho it is IPS that is WAY overhyped :)
IDS Dead?
IDS may not be dead, but its value is >>diminishing.
IDS may be passive but an security analyst who knows his job is not. In fact by placing a IPS in your network you might even introduce false sense of security into your organisation. "Oh, I thought the IPS was supposed to blocked that"
The unexamined IDS is not worth having, to >>paraphrase good old Socrates.
But the unexamined IPS is ???!
These are, of course, my opinions. And >>naturally, I have a vested interest in people >>buying more IPSs - because I sell them.
I rest my case :) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs. IPS deployment feedback watsont (Mar 20)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 23)
- <Possible follow-ups>
- RE: IDS vs. IPS deployment feedback Carey, Steve T GARRISON (Mar 21)
- Re: IDS vs. IPS deployment feedback nightelfhunter (Mar 21)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 23)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Mar 27)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Mar 27)
- Re: RE: IDS vs. IPS deployment feedback xris375 (Mar 27)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 28)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 31)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: RE: IDS vs. IPS deployment feedback xris375 (Mar 30)
- Re: RE: RE: IDS vs. IPS deployment feedback Sanjay Rawat (Mar 31)
- Re: Re: RE: RE: IDS vs. IPS deployment feedback trashcanmn (Mar 31)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 31)