IDS mailing list archives

RE: IPS, alternative solutions

From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Fri, 17 Sep 2004 10:35:49 -0400

Jason,

The ROI in a medium+ organization does not come from using IPS as a
patch replacement system. The IPS lets the organization schedule the
patches at its convenience instead of the de facto schedule implied by
the release of the patch. That is, without something like an IPS in
place, the organization needs to apply patches as quickly as possible to
maintain their security posture. This is problematic for many reasons.
However, there are two common, major ones. First, it can take months
(even longer) to deploy a patch to all levels of an organization. During
this time the organization remains vulnerable. Second, it is difficult
to manage multiple overlapping patch and/or frequent patch processes.

The IPS allows them to delay patch installation until it is convenient
and this is where the ROI materializes. The IPS protects the
organization until it can deploy the patch everywhere. The ROI here is
obvious when a worm hits before you can complete the patch installation.

It turns out that the cost to install a dozen patches at once (even from
multiple vendors) is not much more than the cost to install one critical
patch. So an organization that can defer all patch installation to the
beginning of each quarter for example can reap huge dividends over the
cost of rolling out each patch individually. They only need to test one
set of changes prior to applying them (instead of several per quarter).
In addition, the number of different configurations present in the
organization at any moment is reduced, thereby lowering support costs.

Paul

-----Original Message-----
From: Jason [mailto:security () brvenik com] 
Sent: Wednesday, September 15, 2004 3:47 PM
To: Scott Wimer
Cc: Daniel; focus-ids () securityfocus com
Subject: Re: IPS, alternative solutions


I've heard of no medium+ sized business that is considering deploying 
inline technology on the internals of the network in a sufficiently 
pervasive manner that there would be any measurable benefit from the 
technology over patching and asset management.

I would be seriously interested in an ROI that can demonstrate savings.

The simple question is how is inline packet scrubbing easier and more 
cost effective than patching?

Scott Wimer wrote:

Daniel,

I agree with your assessment.  What I have encountered in the 
financial sector though is a desire to have the packets "scrubbed" 
before they reach the servers.  People _want_ to deploy network based 
IPS tools because it is easier and more cost effective.  That it 
doesn't seem to be possible yet is another story altogether.

Regards, Scott Wimer

On Tue, 2004-09-14 at 06:01, Daniel wrote:

So far there has been a load of talk discussing which is the better 
technology. Personally i dont think IPS is ready for the big time. 
Yeah its great for small mum and dad networks, but for large 
financial networks with billions of pounds flowing across them, would

you trust a technology to think and block what it seems as bad 
traffic?

So what are the alternatives? I'd say more host based protection such

as:

- Stack protection - Application level firewalls
(ModSecurity/SecureIIS) - Host based firewalls

I'm interested to see what everyone else feels are alternatives to 
IPS


---------------------------------------------------------------------
-----
 Test Your IDS

Is your IDS deployed correctly? Find out quickly and easily by 
testing it with real-world attacks from CORE IMPACT. Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.

------------------------------------------------------------------------
--


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

IPS, alternative solutions Daniel (Sep 15)
- Re: IPS, alternative solutions Scott Wimer (Sep 15)
  - Re: IPS, alternative solutions Jason (Sep 16)
    - Re: IPS, alternative solutions Scott Wimer (Sep 15)
    - Re: IPS, alternative solutions Jason Haar (Sep 16)
- Re: IPS, alternative solutions Alex Butcher, ISC/ISYS (Sep 15)
- Re: IPS, alternative solutions Andy Cuff (Sep 16)
- <Possible follow-ups>
- Re: IPS, alternative solutions Johann_van_Duyn (Sep 15)
- RE: IPS, alternative solutions Palmer, Paul (ISSAtlanta) (Sep 17)
  - Re: IPS, alternative solutions Jason (Sep 17)
- RE: IPS, alternative solutions Murtland, Jerry (Sep 17)
- RE: IPS, alternative solutions Cure, Samuel J (Sep 21)
  - Re: IPS, alternative solutions Jason (Sep 22)
    - Re: IPS, alternative solutions Mike Frantzen (Sep 22)
    - Re: IPS, alternative solutions Devdas Bhagat (Sep 27)
    - Re: IPS, alternative solutions Thomas Ptacek (Sep 29)
    - Re: IPS, alternative solutions Kyle Maxwell (Sep 23)
    - Message not available
    - Re: IPS, alternative solutions Jason (Sep 26)
    - Re: IPS, alternative solutions p z (Sep 27)

(Thread continues...)