Re: Re: RE: RE: IDS vs. IPS deployment feedback

[trashcanmn () gmail com]

<snip>
Firewalls and IPS has the same characteristics in that if either one stops working, traffic goes down as well. So by 
installing
an IPS you have two devices that can stop your connection. By using an IDS you only have one device (the firewall) that 
can
shut down your network.
</snip>
The above statement isn't entirely correct.  Most modern IPS have a 'fail-over' feature that allows traffic to pass 
even if the IPS is overloaded or powered off.  If deployed correctly an IPS should not completely shut down a network.

One of the misconceptions some people have is to believe that deploying and maintaining an IPS requires less work than 
an IDS.  Both systems require knowledgable personnel to tune and customize the rule sets for their environment.  If you 
don't have the right people for an IDS you won't be able to separate legitimate threats from false-postivies.  If you 
don't have the right people for an IPS you will end up blocking legitimate traffic.  To me neither scenario is 
acceptable.

As to the post topic, I've used both IDS and IPS systems and found that a combination of both works well for my 
environment.  IPSes can work well in front of or behind your perimeter firewall.  They also work well to separate your 
DMZ from Corp networks.  IDS can work well inside your DMZ or Corp networks.
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------