IDS (Intrusion Detection System)

 « Return to Thread: IDS vs. IPS deployment feedback

Re: RE: IDS vs. IPS deployment feedback

by xris375 :: Rate this Message:

Reply to Author | View in Thread



>>1. Immature Technology
>>
>>IPS is far from immature. (snip)

Its's more to technology maturity than just time.
It must have been in used as well :)
And it hasn't really been used afaik on a larger scale for the last two years or so.

>>2. False Positives
>>This is ultimately an issue of tuning.  (snip)
As far as I am concerned there isn't much difference between IDS and IPS in the number of false positives.

>>If you think you're going to drop an IPS inline, >>slap some rules on it, and never touch it again >>- you shouldn't be getting an IPS. (snip)

Or an IDS for that matter...

>>And frankly, what is worse - a few POSSIBLE >>disruptions due to false positives, or getting >>hacked and 0wn3d and losing your business.

I for one worry more about downtime than getting hacked. If I am are well organised, patched and secured in depth, the possibility for getting
hacked is very low. A 'leet hacker would probably operate under a IPS/IDS detectonrange anyway.


>>With an IPS, when you see a really nasty alert, >>you can take note and move along, because you >>know the IPS blocked it.

BEFORE you add an rule to your IPS/IDS you patch for the vulnerability it detects and /or make sure
it doesn't pass your firewall. Then you don't need any IPS to block it.

>>Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak excuse.

By adding IPS, you open up for DoS attacks that was not there before. Why increase risk when you really do not have to ? Imho it is IPS that is WAY overhyped :)


>>IDS Dead?

>>IDS may not be dead, but its value is >>diminishing.

IDS may be passive but an security analyst who knows his job is not. In fact by placing a IPS in your network you might even introduce false sense of security into your organisation.

"Oh, I thought the IPS was supposed to blocked that"


>>The unexamined IDS is not worth having, to >>paraphrase good old Socrates.

But the unexamined IPS is ???!


>>These are, of course, my opinions. And >>naturally, I have a vested interest in people >>buying more IPSs - because I sell them.

I rest my case :)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

 « Return to Thread: IDS vs. IPS deployment feedback

Free embeddable forum powered by Nabble Forum Help