RE: IDS vs. IPS deployment feedback

["Alan Shimel" <ashimel () stillsecure com>]

Andrew

While I can appreciate what you are saying, your own commercial position
makes it difficult to put much weight behind what you are saying.  The sheer
number of people using snort sensors would seem to indicate other than what
you are saying.  Also, the many products that give pure, vanilla snort a
polished commercial feel, are a fine match for many of the products you
mention.  Our own freeware IPS, strata guard free
(http://www.stillsecure.org), which is snort based, is a perfect example of
this.  It probably does as good a job on the false positives as any of the
"commercial" products you mention.

It is a wide market out there!

alan


 
StillSecure
Alan Shimel 
Chief Strategy Officer 

O 303.381.3815
C 516.857.7409
F 303.381.3881
email ashimel () stillsecure com
blog http://ashimmy.typepad.com

www.stillsecure.com
The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer.

-----Original Message-----
From: Andrew Plato [mailto:andrew.plato () anitian com] 
Sent: Friday, April 07, 2006 12:05 PM
To: Will Metcalf
Cc: focus-ids () securityfocus com
Subject: RE: IDS vs. IPS deployment feedback

> I'm not saying that an IPS does not have value, I'm saying 
> it should be part of an overall security strategy, not your 
> end all solution for detecting and preventing intrusions, 
> as  the view that it gives even the most novice analyst is 
> far too narrow.

Okay Will, here we agree. An IPS must be part of a larger security
strategy. It cannot stand alone. I completely agree with that.

However, I maintain my position that most businesses lack the analytical
capabilities to deploy resource intensive technologies (like SNORT).
Hence, commercial IPS that can filter off a set of known vulnerabilities
reduces the overall workload and offers a layer of protection. Also, the
majority of attacks in the wild are well-known and easily detected and
blocked. 

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------