Actually...
It is either or when it comes to being in-line. Why
you ask? 1) Cost and 2) Infrastructure... both of
which I have to fight for. From a cost perspective...
I can deploy IDS without really purchasing anything
new... I recycle some hardware, put on Linux and throw
snort on it and I am good to go. IPS... I don't think
so.
Infrastructure wise... its a much easier sell to
deploy passive taps that just copy data than it is to
put an IPS inline which can possibly have a bad affect
on traffic.
I would prefer both... IDS inline with IPS to use as
validation of IPS blocking or to be able to more
adequately create IPS signatures (by taking packet
captures with ethereal or something).
-Hassan
--- Frank Knobbe <frank@knobbe.us> wrote:
but I'll take IPS wherever I can
get it thank you. If one can't afford IPS... then
I
guess going the forensics only route is better
than
nothing.
If you can't get apple you take an orange? Remember,
these are different
tools. You can very well have an IPS as a filter and
an IDS to verify
that the filter works. It's not an either-or
situation. Different tools
for a different job.
Cheers,
Frank
--
Ciscogate: Shame on Cisco. Double-Shame on ISS.
Send instant messages to your online friends http://uk.messenger.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
