Re: [Snort-devel] IDS vs IPS

[pieter claassen <pieter () countersnipe com>]

I agree with Jed in that IPS has been developed to classify a "new"
science of automated response to suspected intrusions. However, I do
believe this terminology is important to get right and clear because:

1. There are lost of different ways that you can automate response to an
intrusion ranging from dropping a susp packet silently on the floor to
refusing to do any business with the offending user (Firewall
reconfigure) and these things are very different.
2. So many people are running around in the market claiming to be
selling IPS and all their products do very different things so how do
you compare them?
3. All these products that do different things have profoundly different
impacts on the implementor's organisation. They not only change the way
company's handle IR but because they are so different, they all change
it uniquely. You should really do a custom analysis of the potential
benefit/impact of each product to be able to compare them.

There is currently too much FUD around IPS and I have started drafting a
IPS best practice guide with some input from vendors and consultants to
try and get a clearer understanding around the issues that will impact
IPS. I believe that will clear the terminology issues up by itself. You
can get this guide at http://snortinline.org (note this site is only
temporary until the snil community decides if they want to adopt it)

IPS should rather be called IDP (Intrusion Detection and Prevention) and
Netscreen will love that!

Shouldn't this discussion move to the snort-inline mailing list?

Pieter

 



On Wed, 2003-08-20 at 23:33, Jeff Nathan wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> *Before you flame me for my answer, spend a few minutes thinking about 
> the formulaic logic I've used to author this response.
>
> IPS is a "made up term" invented by people who work in marketing 
> organizations.  Before they got their grubby little hands on IDS, this 
> concept was called "gateway IDS" or "inline IDS".
>
> Traditionally, Snort is a NIDS.  Snort can be used an an inline IDS (or 
> Gateway IDS, or if you're really in love with the term even an "IPS") 
> by using the snort-inline patches.[1]
>
> - -Jeff
>
> [1] http://sourceforge.net/projects/snort-inline/
>
> On Wednesday, August 20, 2003, at 09:10 AM, Vkmobile () aol com wrote:
>
> > So is Snort an IDS or an IPS (Intrusion Prevention) or both?
> >  
> > Also, how can an IDS be converted to an IPS? Can someone point me in 
> > the right direction such as an FAQ or some website where i can read 
> > and learn?
> >  
> > Thank you.
>
> - --
> Top security experts.  Cutting edge tools, techniques and information.
> Tokyo, Japan   November, 2003   http://www.pacsec.jp
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (Darwin)
>
> iD8DBQE/Q/cpEqr8+Gkj0/0RAgRFAJ9oZPC8c3eY7jNAO3cx4kh7uDoh+gCeM1N1
> MKBMdLUi/WrPQFqIhruNGEI=
> =fSJZ
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Dice.com.
> Did you know that Dice has over 25,000 tech jobs available today? From
> careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
> best hiring companies. http://www.dice.com/index.epl?rel_code4
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
Pieter Claassen
CounterSnipe Technologies
www.countersnipe.com


Highview House
Charles Square
Bracknell
Berskhire
RG12 1DF
United Kingdom


Tel: +44(0) 1344 390 530
Fax: +44(0) 1344 390 700
Mobile: +44 (0) 776 6656 924
email: pieter () countersnipe com