Snort mailing list archives
Re: Re: [Snort-devel] IDS vs IPS
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 01 Sep 2003 11:36:58 -0500
I'll cut down to gist of it... On Sun, 2003-08-31 at 10:32, Mark Teicher wrote:
Jeff said: As it relates to computer networks, IPS would have to be gateway intrusion detection (aka in-line intrusion detection). Indeed, if a firewall vendor thinks they're moving into this space I'd love to hear about their design and implementation. Also, if a company is moving into this space exclusively I'd love to hear about their technology. Mark said: Another inline device. Jeff, Are you stating that an enterprise organization should trust an IPS vendor by allowing to put their hardware/software inline with their network connectivity, be it external or internal??
I think this is a good example for the reason this discussion is going nowhere. We should be debating what an IPS is from a technical perspective. Instead we argue if they are good or bad, and how good, how bad. We should leave personal opinion and qualitative statements out of the discussion and focus on the definition. Now we all agree that certain implementations are flawed while others show promise. We understand that putting too much faith into a product that sits inline, is a choke point, may not be a good idea. Other may argue that firewalls do that so it's okay. Let's not get hung up on those issues. Let's get back to the definition. We also acknowledge that Intrusion Prevention System is mostly a marketing term. Before the Prevention buzz word was thrown in, these things were called Gateway IDS for lack of a better word. Today Intrusion Prevention Systems include a wider variety than just GIDS. HIPS comes to mind, so I guess we would have to disect what a HIPS (Host IPS) is and what qualifies to deserve that name. Theoretically *any* countermeasure could be called a Prevention system. A hardened OS prevents intrusions. Are the Bastille scripts an IPS? Is SecureIIS or similar wrappers an IPS? Perhaps by discussion this down the right path we can show reasonably well that the term is flawed, and perhaps through a collaborative paper on the term of IPS we can convince the users/admins/buyers as well as the vendors/market/industry to abandon use of that name...... Yeah, a pipe dream.... but worth trying? If not, we don't even need to argue here. Let's give our discussion a purpose or let it die. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS, (continued)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Jeff (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Sep 01)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
- Re: Re: [Snort-devel] IDS vs IPS Gary Flynn (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Georges J. Jahchan, Eng. (Aug 29)
- Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)