Hello,
On Thu, Mar 16, 2006 at 11:55:42AM -0800, watsont wrote:
>
> Here is my quandary:
>
> My second issue with IPS, at least the current incarnation of them, is that
> they do a mediocre job of handling false positives which would lead back to
> my initial concern of blocking valid traffic. Lets face it, though they are
I ran into problems likes these (hopefully in
testing mode) so i agree, the "false positives"'s problem may be
considered carefully.
> number of attacks and growth in bandwidth. In my opinion IDS is by no means
> dead.
You're right, in fact and the following sentence show this, we've two
solutions : running a "REACTIVE" or "ACTIVE" mode, and even if both of them give problems
we've to choice.
> Should we march toward ACTIVE protection measures rather than REACTIVE ones
> to keep our networks safe? Absolutely! Are there products out today than can
> do this? Sure, but I do not have a level of comfort yet with any of them.
With security in mind, definitively "ACTIVE" protection is better but with
care, we can't afford the risk to do something likes "DOS" to ourself.
On the other side, "REACTIVE" may be considered less risky but we
can miss something. Not so easy to choice...
Best regards.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
