IDS mailing list archives
Re: IDS vs. IPS deployment feedback
From: "Aaron" <snort () microchp org>
Date: Mon, 17 Apr 2006 19:42:25 -0700
I completely agree. If you are doing anomaly/heuristics based detection then you would need to have a baseline.
Just in my own experience (*points at the bags under the eyes*), I don't really bother with IDS/IPS. Others I work with still do and that is fine, but it is a full time job to chase ghosts. To each their own. :)
I sleep better knowing I audit my stuff and lock things down. It actually kills several birds with one stone (aspca wont like that analogy). I find things that I did not know people installed. I fix sysadmin boo-boo's and can further document what is running where. It also helps me find ahead of time applications that were not coded well and can not withstand a lightweight audit. I can then work with developers to improve their applications and dig deaper into application security. This in my not so humble opinion is a more efficient approach, as it catches weaknesses that network devices can not predict or safely negate without impacting business flow.
But hey, selling network devices means more money changing hands and more jobs so I won't complain. Funny money is still money. :)
--Aaron On Sun, 16 Apr 2006 17:31:37 +0200 Stefano Zanero <zanero () elet polimi it> wrote:
Aaron wrote:To add to (or take away) from this thread, I would further mention that IDS/IPS regardless of make or implimentation, will only see the past, not the future.You may wish to notice that this is true, but a problem only for misuse based devices. Anomaly based devices, on the contrary, use the past as a way to detect anomalies into the future, and therefore are lesssensitive to the zero-day/unforeseen attack problem. Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback, (continued)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
- Re: IDS vs. IPS deployment feedback Thomas Choi (Apr 18)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 18)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Mike Barkett (Apr 13)
- Re: IDS vs. IPS deployment feedback Jason (Apr 13)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 11)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 13)
- RE: IDS vs. IPS deployment feedback Kyle Quest (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)