RE: IPS comparison

["James Williams" <jwilliams () mail wtamu edu>]

If you haven't used the Cisco IDS/IPS solution recently, maybe you
should. It's been greatly improved over the last couple of years. Also
Cisco DOES have IPS solutions that you can put on servers and on the
desktop that support Windows, Linux, and Solaris and they are working on
a Mac client, so I've been told.

Take a look at the Cisco IPS 4200 series appliances as well as Cisco CSA
and Cisco Clean Access.

Your facts are a bit misconstrued based on where the IDS/IPS market was
a couple years ago. I'm pretty sure that ALL products in the IPS/IDS
market have made huge leaps and bounds on how their product operates.

Code Red & Nimda were both worms from 2000/2001 when IPS technologies
were much younger technologies, whereas Slammer happened in early 2003.
In technology that's a lifetime of growth and maturity. Most IPS vendors
are using behavior based metrics to determine what an attack is and what
isn't. That make's it much easier for vendors to help mitigate zero day
attacks. The Cisco CSA blocked Blaster and the more recent Zotob without
any updates. It simply saw a behavior that wasn't normal and blocked it.

On my personal computer at my house I personally use Prevx. So far it's
turned out to be a great product. I've installed it on a fresh install
of a Windows XP computer and put it on the Internet unprotected and it
blocked all the known worms, such as blaster that reeked havoc for many
universities and companies in august of 2003.

Anyways, All I'm trying to say is that the IDS/IPS industry has gotten
much better at what they do best and I think allot of the material that
you are basing your comments off of are from at least 2 years ago.

James Williams, GISF
Network Systems Technician


-----Original Message-----
From: Rubayat.Zahir () csfb com [mailto:Rubayat.Zahir () csfb com] 
Sent: Thursday, September 01, 2005 1:40 PM
To: focus-ids () securityfocus com
Subject: IPS comparison

IPS/IDS can claim all they want on Zero Day exploits. I can assure you
its a player's luck. I had client during my Big X career who were saved
by ISS on SQL Slammer, and hit hard on Nimda and Code Red. Its really a
players luck. All IDS/IPS require full customization to your environment
(i.e. Applications, Code, Platforms etc.). Second of all, based on the
patterns I have seen, it is truly a variance among vendors (ISS,
Enterasys, Cisco, Snort, etc.). Lastly, the best of all IDS's are ones
that has the capability to perform attack correlations. 

Some IPSs are software (e.g. those from Computer Associates, McAfee,
Snort) that you run on your own servers (which may be Windows and/or
Linux-based), while others are dedicated appliances (including
SonicWALL, McAfee, Juniper and Cisco). Your company may have a policy
that limits you to one type or the other. 

To be frank, In many cases, IDS and IPS it's the same piece of kit,
that's just been re-categorised by the vendors - protection seems an
awful lot more marketable than just detection (especially if a detection
system just writes an alert to a log file that you only get a chance to
look at once a week).

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------