Information Security News mailing list archives
Re: Recent Gartner Report on IDS/IPS
From: InfoSec News <isn () c4i org>
Date: Tue, 17 Jun 2003 02:08:27 -0500 (CDT)
Forwarded from: Russell Coker <russell () coker com au> Gary's posting had many good points, however there is one issue that I query:
An IPS, being in-line, does not have the indulgence of being able to be highly sensitive to everything an IDS can. Since it is making the decision to pass or not pass traffic, it has no room for misjudgment. As such, that places a severe limitations on its ability to find things off-line analysis offers. In addition, analysis is limited to what can be accomplished in fractions of a second. There is no opportunity for *real* analysis and correlation.
Why can't an IPS be configured to log certain operations instead of denying them? Surely any good security tool should have the following options: 1) Quietly deny (routine errors such as unwanted SMB broadcasts and attacks that are much too popular such as that SQL Server worm). 2) Deny and log (things that we don't want and don't expect to happen often or which we want to respond to). 3) Allow (regular traffic). 4) Allow and log (traffic that we are unsure about but are forced to permit, and traffic that is routine but which is significant for auditing). As far as I am aware all firewalls have all four options, and I would expect all IPS system to have them too. Of course some products may fall short of my expectations, but that is only a problem with the implementations in question not with the concept. Can't we think of an IPS as just an IDS with the option of blocking? Therefore if you configure the IPS for options 3 and 4 only then it will be an IDS. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Recent Gartner Report on IDS/IPS InfoSec News (Jun 16)
- <Possible follow-ups>
- Re: Recent Gartner Report on IDS/IPS InfoSec News (Jun 17)
- Re: Recent Gartner Report on IDS/IPS InfoSec News (Jun 17)