IDS mailing list archives
Re: RE: IDS vs. IPS deployment feedback
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Wed, 29 Mar 2006 18:50:57 +0530
On 28/03/06 08:46 -0800, Andrew Plato wrote:
I for one worry more about downtime than getting hacked. If I am are well organised, patched and secured in depth, the possibility for getting hacked is very low. A 'leet hacker would probably operate under a IPS/IDS detectonrange anyway.Hacking is only one aspect. IPS does a lot more that stop hackers. It also stops internal people from doing things they shouldn't. It also can spot poorly coded applications, misconfigurations, abuse, theft, information leakage, viruses, worms, spyware, P2P, chat, rootkits...and many other things. A well tuned IPS controls more than just exploits. It can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And before you say "well a firewall can do that." No it can't. If you run IRC on port 80 it can slice through most firewalls on the market.
If by firewall, you mean packet filter, then you are correct. If by firewall, you mean a proxy which validates protocols and is in default deny mode, then you are just wrong. If I don't have a proxy for it, I don't let the traffic through works just fine. An IPS looks at stuff on the wire, decides what is bad, and blocks it. A real firewall looks at stuff on the wire, decides what is good, and allows it. A real firewall hooks into everything (servers, network equipment, desktops...).
I have a diagram I use in a presentation on the Myths of IPS. You can see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf It's the Risk Reduction Bang for the Buck chart. It compares IPS to other common security/network technologies such as AV, content filtering, firewalls and packet shapers. A well tuned, well managed IPS can provide more services and capabilities in one unit than all those other technologies combined. As I tell people - firewalls and AV are important and should never be overlooked. But once those protections are in place, IPS offers the most bang for the buck in security technologies.
Once you have a firewall in place, you need a system which analyses logs and traffic which gets through your firewall.
Also - you cannot patch your way to security. Patching merely plugs the holes you know about. There are, at any given time, hundreds if not thousands of holes you don't know about. Good IPS manufacturers are deploying protections before exploits hit the public.
Which is why you need to run secure code in the first place. Bandaids are not a panacea to vulnerable code. Really, it would help to compare IPSes with proxies instead of known broken systems. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs. IPS deployment feedback watsont (Mar 20)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 23)
- <Possible follow-ups>
- RE: IDS vs. IPS deployment feedback Carey, Steve T GARRISON (Mar 21)
- Re: IDS vs. IPS deployment feedback nightelfhunter (Mar 21)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 23)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Mar 27)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Mar 27)
- Re: RE: IDS vs. IPS deployment feedback xris375 (Mar 27)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 28)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 31)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: RE: IDS vs. IPS deployment feedback xris375 (Mar 30)
- Re: RE: RE: IDS vs. IPS deployment feedback Sanjay Rawat (Mar 31)
- Re: Re: RE: RE: IDS vs. IPS deployment feedback trashcanmn (Mar 31)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 31)