I totally agree with Adam, the same technology to detect attacks is
available to both IPS and IDS; therefore, false positives (and fine-tuning
to avoid them) are also inherent to both.
Tim might be making more emphasis on the protective nature of IPS, which is
understandable; however, I disagree with the "real-world protection against
zero-day threats" statement.
Even if the IPS triggers on anomaly behavior, I doubt that anyone can
guarantee that this kind of protection will be effective against most
zero-day threats.
IPS is helpful to stop, at least, known attacks, while requiring less
attention than with IDS; on the other hand, IDS is helpful to detect a wider
range of attacks and incident information with less impact to availability
for the systems protected, than with IPS.
Besides, the preventive nature of IPS can't always be applied. E.g. a number
of unsuccessful login attempts to a server are detected only after the event
takes place, and the inline nature of IPS can't protect against this; it can
prevent further connections to the affected system though, but then it is
being reactive more than preventive right? Detecting new attacks with
generic procedures is non-trivial, and an IPS can't guarantee prevention
against any new or even some known attacks.
These discussions come back again and again, year after year. Maybe we
should just accept that, even if some types of security controls have some
characteristics and functions that overlap, it doesn't mean that one is
better than the other. Let us just accept that they are different tools and
argue instead, whether for a particular situation, one of them is better
suited for the task (if any).
Cheers,
Omar Herrera
-----Original Message-----
From: Adam Powers
Tim, I hate to stir up this whole can of worms (pun alert) and yes I know
this is off topic but can you please qualify this seemingly non sequitur
statement?
"All IDS devices are subject to large numbers of false positives, which is
why if you're making a new investment you should consider IPS technology,
as
this gives you a far lower TCO and real-world protection against zero-day
threats."
How so?
I really struggle with this whole "because it's inline it must be more
accurate" thing. Sure, if I turn off a bunch of sigs on the IPS that are
less reliable, accuracy will increase. But why not do the same thing on
the
non-inline IDS?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
