Re: IDS vs. IPS deployment feedback

[Stefano Zanero <zanero () elet polimi it>]

Andrew Plato wrote:

> IPS is far from immature. The first in-line IPS was BlackICE Guard. I
> installed one of the first in late 1999.

The first IDS paper dates in the 80s. Still, I would not say IDS, or
IPS, are a mature technology. It's not a point of being old - it's a
point of being EFFECTIVE.

> A well tuned IPS can be pretty lean on
> false positives. 

Standard considerations apply, as for IDS

> a few POSSIBLE disruptions
> due to false positives, or getting hacked and 0wn3d and losing your
> business. 

You are implying that the likelyhood of the IPS stopping a nasty attack
are way above the likelyhood of false positives. This is exactly what
you're trying to prove ;)

> Firewalls are not IPSs. 

I see less and less difference among the two.

> IDS may not be dead, but its value is diminishing.

IPS is just the reactive sort of IDS, so the debate on IDS vs. IPS is
not very interesting...

> Moreover, the value of an IDS diminishes even more if you lack in-house
> analytical capabilities. 

If you don't have those capabilities, how are you going to setup an IPS,
exactly ?

> These are, of course, my opinions. And naturally, I have a vested
> interest in people buying more IPSs - because I sell them. 

I don't :)

Stefano


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------