IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question related to focus-ids (IPS/IDS "inside" the firewall)

From: Joel M Snyder <Joel.Snyder () Opus1 COM>
Date: Wed, 05 Dec 2007 11:58:32 -0700
Anderson, Derick wrote:

Joel, thanks for providing your IPS assessment - it was hugely
beneficial. 
Do you see, in general, any benefit to having an IDS monitoring traffic
when there's an IPS at the gateway? The reason I ask is because of your
comment about turning on IDS inside the firewall  (although you also
mentioned that Cisco has a separate processor for IDS). As I see it, an
IDS serves a different purpose than an IPS, which is auditing. For
example, I set up my IPS in "sane" mode and I set up a separate IDS
behind that which should only trigger on stuff the IPS misses.

To me, that kind of setup can have value, I was just wondering what your

> thoughts were on that.

Derick:


Yes, I very much think that there is a need for IDS even when you
have IPS.  I think that my words were not as precise as they
should have been.

When I said that you should not run
"IDS inside the firewall," I did not mean
"IDS topologically inside of the firewall" but
"IDS actually incorporated inside of the firewall itself."

I re-read my post and see how it could easily be misinterpreted.

But since IDS and IPS are two VERY different things
(one blocks known attacks; the other is a security problem
detection and network visibility tool), I think that there is
room for both.

In fact, we run both: IPS out at the edge near the firewall
(don't have any of those fancy UTM firewalls ourselves :-(),
and IDS closer to the things I "care" about.

So I'm in total agreement with you.  Sorry if I wrote poorly
and didn't make that clear.

jms


--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms () Opus1 COM                http://www.opus1.com/jms

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: