IDS mailing list archives
Re: ROI on IDS/IPS products
From: Stefano Zanero <s.zanero () securenetwork it>
Date: Mon, 02 Mar 2009 20:21:39 +0100
Jeremy Bennett wrote:
This is a problem with the products, not the customers. The problem being that there is still too much IDS thinking inside the IPS.
Funny, since an IPS is nothing more than an IDS that can drop traffic ;-) Yes, I'm being humorous here, but really there is not that much difference in the two things, except for the marketing and the extremely different defensive posture: an IDS hunts for higher detection rates even at the cost of some false positives, whereas IPS aim at extremely low false positive rates. However:
So, I *should* be able to purchase an IPS, read the manual, configure it according to my own risk profile, and then leave it alone. High-risk activity should be blocked. Benign traffic should be let through.
And then villains should be brought over to justice, and the greater good should prevail. However, getting back to the real world, doesn't work. You cannot configure "your risk profile" because there's no way on Earth to express that sensibly in a single clicky and yummy web interface. You can configure the system, activating and deactivating specific signatures, and - sorry - you WILL need to know damn well what you are doing. It is not just a problem with the products (and boy they are faulty), it IS a problem with the customers. A huge one.
Questionable traffic should be logged for later policy reviews.
What would "questionable" mean ?
If I do not have the ability to continuously monitor the device then I should not have to do that. The device should regularly download updates and apply them based on my configuration.
Pray tell, how, exactly ? I think it's high time to stop thinking that somehow an "expensive enough" box will be able to do our homework for us. An IPS is a tool for applying specific signatures to traffic and block specific forms of attacks. Relating that with policies and weighing risks is a job for a human, and a skilled one, not for an algorithm. SZ
Current thread:
- Re: ROI on IDS/IPS products Ray (Mar 02)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)
- Re: Re: ROI on IDS/IPS products Ray (Mar 03)
- <Possible follow-ups>
- Re: ROI on IDS/IPS products Frank Knobbe (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Message not available
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 03)
- Re: ROI on IDS/IPS products Scott (Mar 03)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 05)
- Re: ROI on IDS/IPS products Ravi Chunduru (Mar 06)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)