RE: Alarm response strategies

[Richard Bejtlich <taosecurity () gmail com>]

Rob Shein wrote:

"What I do see happening is for IPS and IDS to converge to some
degree, so that we can have the larger alert capability of an IDS
combined with the proactive (couldn't think of a better word to offset
reactive...just plain active, perhaps?) capability of an inline IPS."

--

If I could have one wish granted, it would be for the IPS to be
recognized as a layer 7 firewall, and not compared to an IDS.

If there's convergence ahead (and I agree with you that there is),
let's see the IPS merge into the access control device known as the
firewall.

I want my network audit device to perform no access control at all,
unless in absolutely dire emergencies.

We already see "convergence" multipurpose boxes that are
switches/routers/VPN concentrators/firewalls/wireless
gateways/anti-virus/IDS/etc., but this is more for small shops in my
opinion.  Conceptually speaking an IPS is an access control device and
an IDS is a network audit device.

Sincerely,

Richard
http://www.taosecurity.com

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------