FW: tippingpoint]

["Geoff Poer" <gpoer () arizona edu>]

Ok... lets break it down some more!

> So we start out with a marketing guy from Dell trying to sell
> something.

Not really anything strange there :)

> This post was quickly responded to in a manner that suggests we really
> have a new buzz-word -- IPS (Intrusion Prevention System) -- that will
> imminently replace IDS's (Intrusion Detection System):

If you are responding to *MY* postings with the intentions of providing
proof that IDS is not dieing you can save your key board the furiousness
of your poundings. While that has been a topic of conversation, IDS is
an analysis tool that will not be "replaced" by IPS... it will be
feeding IPS.
Even the sales guys from TippingPoint will tell you that... they are
relying on IDS to do the harder work and correlation that they can not
do.

> "..talking about how useless IDS are.."
>
> Yeah. Right. That's why there's so many in use in production
> environments right now.

I am not saying (and I don't believe anyone else is either) that IDS is
useless. However, the statements that articles are being published that
do hold that sentiment are not incorrect. 

> *My* point was addressed to the details of this Brave New Tool(tm) --
> the IDS -- as it was presented here:

> So we have presented to us these IPS strong points:
>
> 1) implement signatures with a low false positive rate
Yup... If you do that on your IDS you are missing a lot of good
information. If you do not have the resources or the knowledge level
(which most people on this list have) to look at every alert them you
can dump the noisy signatures however you can NOT do that on your IPS it
will die. 

> 2) detect ancient, well-known signatures
The example I gave was an "ancient" signature. However, the signatures
that we run on the box apply to much more recent attacks and
vulnerabilities. 

> And I ask: this makes an IPS better or different than an IDS (aka:
> snort) how?
Not better... different.

> By doing something different *after* the packet is identified as
> malicious?
>
> uh... OK.
Actually, YES! That is exactly the difference. No active response
measure (that I know of) will keep the offending packet from getting to
the destination. An IPS will.

> My real point, perhaps not quickly stated, is that any tool needs to
> be used with great thought, study, and understanding, and not just
> because some marketdroid is trying to sell it, nor because it's
> getting a lot of write-ups in the press.
And finally we agree on something :) 

> Remember: defense in depth, not defense by marketing.
Yes and an IPS is a great tool to add to that philosophy. Don't replace
IDS just add another layer. 

Geoff




-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users