Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS vs. IPS deployment feedback

from [Carey, Steve T GARRISON] Network Security [Permanent Link]
Subject: RE: IDS vs. IPS deployment feedback
Date: Mon, 20 Mar 2006 12:35:53 -0600 
Thomas,

   Totally agree with you Intrusion Detection is not dead.  

   Have an IPS, but currently using it in the IDS mode, because I can
not afford a DOS of my own making.  In some environments ('static') an
IPS is a great benefit, but if you have a network that changes then it
is not a good choice.

   In a 'static' environment, you still have to run it in an IDS mode to
see what your false positives are and make corrections before turning on
the IPS.  Even then there will be cases were the IPS may not stop an
intrusion, so without an IDS "backing up" the IDS (false negatives are a
greater threat if you can identify all your false positives).

   So no - Intrusion Detection is not dead and probably will not be for
a long time.  

STEVEN T. CAREY
LCIRT-R
(256) 876-5811
Cell (256) 759-9767


-----Original Message-----
From: watsont [mailto:thomas.watson.b@bayer.com] 
Sent: Thursday, March 16, 2006 1:56 PM
To: focus-ids@securityfocus.com
Subject: IDS vs. IPS deployment feedback


Here is my quandary:

In recent years there has been an increasing buzz that Intrusion
Detection is dead. We hear that the next, pardon the OLD cliche, 'killer
app' for security professionals to deploy in their network for
identifying and protecting against malicious attacks is IPS. I am by no
means an Intrusion Prevention bigot but I have a philosophical issue
with deploying a device that is fairly immature, in my mind, in line
with production traffic that, should it be interrupted for ANY reason,
might impact the businesses we work so hard to protect. I struggle with
putting my name on the list of phone numbers to call when the device I
deployed to protect the environment actually DOS's our customers (both
internal and external). 

I fully understand the value in preventing traffic that we may know to
be malicious such as worms and the like but there are other mature
protection methods already available in products that are widely
deployed (modern
firewalls) which can proactively handle these types of issues. I think
we would be better suited to look at what firewalls can't do well yet
such as web application level protection but that is another topic
should you like to broach I'd be happy to discuss.......

My second issue with IPS, at least the current incarnation of them, is
that they do a mediocre job of handling false positives which would lead
back to my initial concern of blocking valid traffic. Lets face it,
though they are getting better, most IPS vendors are providing a
solution that grew out of IDS type devices. It took several years and
much pain to develop, deploy and reliably tune devices that are able to
keep up with an ever increasing number of attacks and growth in
bandwidth. In my opinion IDS is by no means dead. 

Should we march toward ACTIVE protection measures rather than REACTIVE
ones to keep our networks safe? Absolutely! Are there products out today
than can do this? Sure, but I do not have a level of comfort yet with
any of them.
Much of the rhetoric and push for deploying IPS devices that are
available seems to come from Marketing and Sales people, not Security
professionals.
Which is why I am reaching out to you, your experiences and your
thoughts surrounding this issue.

I will not be publishing this information or sharing it otherwise, it is
purely personal and professional. I may be completely off base in my
reasoning which I can accept and am willing to be convinced otherwise.

Thanks in advance for your time!

I look forward to hearing from you.

Tom - CISM, CISSP
--
View this message in context:
http://www.nabble.com/IDS-vs.-IPS-deployment-feedback-t1293748.html#a344
3521
Sent from the IDS (Intrusion Detection System) forum at Nabble.com.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Scan for "outsider" Pcs on network, auto62996
Next by Date:  Re: Scan for "outsider" Pcs on network, Jean-Philippe Luiggi
Previous by Thread:  Re: IDS vs. IPS deployment feedback, Jean-Philippe Luiggi
Next by Thread:  Re: IDS vs. IPS deployment feedback, nightelfhunter
Indexes:  [Date] [Thread] [Top] [All Lists]