On Wed, 16 Mar 2005 18:08:12 -0500, Jason <security@brvenik.com> wrote:
The IPS cannot be _in_ the networks to be protected and must remain at
the borders. This means that you can have systems compromised within the
internal borders and still end up with a big mess. An IPS is a useful
tool for mitigating nuisance issues and rapidly moving threats only if
it can respond before those threats occur. In the case of witty it was
the threat. What if those systems had been inline?
Defense in depth is the key element and if you combine the FW and the
Inline device or not you still have to monitor the networks to really
know what is happening.
Earlier Chris Harrington said "IPS / IDS down to the switch port is
where I see this heading." I agree with him. Routing and switching
products today offer access control via ACLs, firewall feature sets,
network-based application recognition (NBAR), context-based access
control (CBAC), and so on.
I also think Jason has a point. The increased complexity of products
which formerly only routed and switched packets makes them targets in
their own right. That is why I agree with Jason that products and
processes which take independent looks at network activity must remain
separate from those performing access control. The single uber-box
that performs all network functions will be exceedingly complex and
will become attractive and easy prey for intruders. People not
monitoring their routers and switches for indicators of compromise
will wish they had.
Richard
http://www.taosecurity.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
