IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: amount of alarms generated by IDS

From: Ravishankar Ithal <ravi_ithal () yahoo com>
Date: Tue, 11 May 2004 10:13:52 -0700 (PDT)

--- Rob Shein <shoten () starpower net> wrote:

I'm a bit confused here.  You're talking about inline IDS and IPS.  Are you
using the terms interchangably?  If so, you're mistaken; putting an IDS
inline does not make it an IPS.  And an IDS inline shouldn't be dropping
packets. 


If an IDS doesn't have the ability to drop packets, why would you call it
"inline"? Note that sitting in the packet path or as an offline box doesn't
make any difference in the amount and kind of traffic that the box can actually
see, what with spanning on switches. I _am_ using the two terms interchangably,
simply because IPSs of today are nothing but IDSs of yesterday with an ability
to drop malicious looking packets.


I could see how the signatures could be tuned differently due to
the fact that it is able to ensure that it sees everything, and that could
generate fewer FPs, but aside from that I doubt there would be any
difference.  Keep in mind that an inline IDS does not (normally) do anything
to bad traffic, while an IPS takes an active role in
munging/blocking/denying such.






        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: