IDS vs. IPS deployment feedback

[watsont <thomas.watson.b () bayer com>]

Here is my quandary:

In recent years there has been an increasing buzz that Intrusion Detection
is dead. We hear that the next, pardon the OLD cliche, 'killer app' for
security professionals to deploy in their network for identifying and
protecting against malicious attacks is IPS. I am by no means an Intrusion
Prevention bigot but I have a philosophical issue with deploying a device
that is fairly immature, in my mind, in line with production traffic that,
should it be interrupted for ANY reason, might impact the businesses we work
so hard to protect. I struggle with putting my name on the list of phone
numbers to call when the device I deployed to protect the environment
actually DOS's our customers (both internal and external). 

I fully understand the value in preventing traffic that we may know to be
malicious such as worms and the like but there are other mature protection
methods already available in products that are widely deployed (modern
firewalls) which can proactively handle these types of issues. I think we
would be better suited to look at what firewalls can't do well yet such as
web application level protection but that is another topic should you like
to broach I'd be happy to discuss.......

My second issue with IPS, at least the current incarnation of them, is that
they do a mediocre job of handling false positives which would lead back to
my initial concern of blocking valid traffic. Lets face it, though they are
getting better, most IPS vendors are providing a solution that grew out of
IDS type devices. It took several years and much pain to develop, deploy and
reliably tune devices that are able to keep up with an ever increasing
number of attacks and growth in bandwidth. In my opinion IDS is by no means
dead. 

Should we march toward ACTIVE protection measures rather than REACTIVE ones
to keep our networks safe? Absolutely! Are there products out today than can
do this? Sure, but I do not have a level of comfort yet with any of them.
Much of the rhetoric and push for deploying IPS devices that are available
seems to come from Marketing and Sales people, not Security professionals.
Which is why I am reaching out to you, your experiences and your thoughts
surrounding this issue.

I will not be publishing this information or sharing it otherwise, it is
purely personal and professional. I may be completely off base in my
reasoning which I can accept and am willing to be convinced otherwise.

Thanks in advance for your time!

I look forward to hearing from you.

Tom - CISM, CISSP
--
View this message in context: http://www.nabble.com/IDS-vs.-IPS-deployment-feedback-t1293748.html#a3443521
Sent from the IDS (Intrusion Detection System) forum at Nabble.com.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------