IDS mailing list archives
IDS/IPS Value
From: "Chuck Jenson" <cejenson () mailblocks com>
Date: Tue, 24 Feb 2004 14:05:26 -0600
I don't know if this horse has been beaten to death yet so I will get out my stick: First of all, I work for NAI so I have to warn you I'm pro IPS. Knowing that: I read all of these posts (Is IDS/IPS Worthless?) and either I'm missing the point or have incredible insight, but it seems to me that the IDS is strictly an information gathering tool for you to tune your firewalls (Host or Network Based). Using an airplane analogy this time, IDS is like the black box on the plane, it didn't stop that crash, but it can help you keep the next plane from crashing in the same manner. IPS is more like the stall sensor, it warns you at first, but then attempts to take corrective action. The problem lies in when the sensor thinks there is a stall when there really isn't (False Positives).
From my experience at NAI (only since November mind you), my belief is that
IPS has to be an evolution of the IDS solutions, you can prevent what you can't detect. Right now there is no single solution that fixes everything, but you can put together a combination of HIPS, NIPS, AV and AntiSpam to make your network tough on the inside and out. It sure ain't plug n play either! I'm in the process of trying to create a course in IPS methodologies and unless you have more money than Trump, you have to make some serious decisions on what, when and where to protect. With all that said, I would like to solicit your opinions on how to get the best bang for the "buck" on IPS solutions. I'm not looking for product references, but things like why would you put a HIPS solution in one part of the network instead of NIPS? Or is AV & AS good enough in some places? Would you use HIPS or NIPS to protect yourself from internal attackers? Be warned, if it's good, I will steal it, reference you and teach as many people as I can about it<Grin>. Thanks! Chuck Jenson, MCSE, CCNA, CISSP and all that other Cr*p Views are my own and not necessarily of my companies --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Is IDS/IPS worthless?, (continued)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 23)
- RE: Is IDS/IPS worthless? BĂ©noni MARTIN (Feb 23)
- RE: Is IDS/IPS worthless? Jeff McLaughlin (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Robert Jackson (Feb 23)
- RE: Is IDS/IPS worthless? Cure, Samuel J (Feb 23)
- Re: Is IDS/IPS worthless? Webb Wang CS (Feb 23)
- RE: Is IDS/IPS worthless? DeGennaro, Gregory (Feb 23)
- RE: Is IDS/IPS worthless? Matthew L. McGuirl (Feb 23)
- RE: Is IDS/IPS worthless? Bell, Gregory (ISS Atlanta) (Feb 23)
- IDS/IPS Value Chuck Jenson (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 24)
- RE: Is IDS/IPS worthless? Andrew Plato (Feb 25)
- RE: Is IDS/IPS worthless? Bob Walder (Feb 26)