Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Recent Gartner Report on IDS/IPS

From: InfoSec News <isn () c4i org>
Date: Tue, 17 Jun 2003 02:08:27 -0500 (CDT)
Forwarded from: Russell Coker <russell () coker com au>

Gary's posting had many good points, however there is one issue that I query:


An IPS, being in-line, does not have the indulgence of being able to
be highly sensitive to everything an IDS can. Since it is making the
decision to pass or not pass traffic, it has no room for
misjudgment. As such, that places a severe limitations on its
ability to find things off-line analysis offers. In addition,
analysis is limited to what can be accomplished in fractions of a
second. There is no opportunity for *real* analysis and correlation.


Why can't an IPS be configured to log certain operations instead of denying 
them?  Surely any good security tool should have the following options:

1)  Quietly deny (routine errors such as unwanted SMB broadcasts and attacks 
    that are much too popular such as that SQL Server worm).

2)  Deny and log (things that we don't want and don't expect to happen often 
    or which we want to respond to).

3)  Allow (regular traffic).

4)  Allow and log (traffic that we are unsure about but are forced to 
    permit, and traffic that is routine but which is significant for auditing).

As far as I am aware all firewalls have all four options, and I would
expect all IPS system to have them too.  Of course some products may
fall short of my expectations, but that is only a problem with the
implementations in question not with the concept.

Can't we think of an IPS as just an IDS with the option of blocking?  
Therefore if you configure the IPS for options 3 and 4 only then it
will be an IDS.


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: