funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: so, is I[dp]S a STUPID technology?

From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Tue, 11 Oct 2005 18:35:31 -0400


Routers and switches, when configured correctly, are generally more  
resilient to DDoS than devices which maintain lots of state, like  
inline IDS and firewalls.  Inline IDS and firewalls are not generally  
good tools to rely upon for DDoS mitigation; RTBH, purpose-built  
boxes, and even reaction ACLs are generally better choices.


I'm not sure what you mean by purpose-built boxes (DoS mitigation
boxes perhaps?)... but I do detect the cisco talk in your reply :-)
It's definitely a good idea to use all available technologies.
Sometimes you have more, sometimes you have less at your disposal.
That needs to be taken into consideration as well. If you are
a service provider you can use the "defending network" approach,
but if you are a small business then you don't have much reach
into the overall networking infrastructure... 

Just so it's clear, I'm not at all saying that IDS-based IPS 
solutions can do a good job at dealing with DoS attacks. 
The IPS solutions need to be designed specifically for 
dealing with (D)DoS flood attacks. 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: