IDS mailing list archives

IDS/IPS Value

From: "Chuck Jenson" <cejenson () mailblocks com>
Date: Tue, 24 Feb 2004 14:05:26 -0600

I don't know if this horse has been beaten to death yet so I will get out my
stick:

First of all, I work for NAI so I have to warn you I'm pro IPS.  Knowing
that:

I read all of these posts (Is IDS/IPS Worthless?) and either I'm missing the
point or have incredible insight, but it seems to me that the IDS is
strictly an information gathering tool for you to tune your firewalls (Host
or Network Based).  Using an airplane analogy this time, IDS is like the
black box on the plane, it didn't stop that crash, but it can help you keep
the next plane from crashing in the same manner.  IPS is more like the stall
sensor, it warns you at first, but then attempts to take corrective action.
The problem lies in when the sensor thinks there is a stall when there
really isn't (False Positives).

From my experience at NAI (only since November mind you), my belief is that

IPS has to be an evolution of the IDS solutions, you can prevent what you
can't detect.  Right now there is no single solution that fixes everything,
but you can put together a combination of HIPS, NIPS, AV and AntiSpam to
make your network tough on the inside and out.  It sure ain't plug n play
either!  I'm in the process of trying to create a course in IPS
methodologies and unless you have more money than Trump, you have to make
some serious decisions on what, when and where to protect.

With all that said, I would like to solicit your opinions on how to get the
best bang for the "buck" on IPS solutions.  I'm not looking for product
references, but things like why would you put a HIPS solution in one part of
the network instead of NIPS?  Or is AV & AS good enough in some places?
Would you use HIPS or NIPS to protect yourself from internal attackers?  Be
warned, if it's good, I will steal it, reference you and teach as many
people as I can about it<Grin>.

Thanks!
Chuck Jenson, MCSE, CCNA, CISSP and all that other Cr*p
Views are my own and not necessarily of my companies


---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

RE: Is IDS/IPS worthless?, (continued)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 23)
- RE: Is IDS/IPS worthless? Bénoni MARTIN (Feb 23)
- RE: Is IDS/IPS worthless? Jeff McLaughlin (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Robert Jackson (Feb 23)
- RE: Is IDS/IPS worthless? Cure, Samuel J (Feb 23)
- Re: Is IDS/IPS worthless? Webb Wang CS (Feb 23)
- RE: Is IDS/IPS worthless? DeGennaro, Gregory (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Bell, Gregory (ISS Atlanta) (Feb 23)
  - IDS/IPS Value Chuck Jenson (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 24)
- RE: Is IDS/IPS worthless? Andrew Plato (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 26)