Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RE: IDS vs. IPS deployment feedback

from [xris375] Network Security [Permanent Link]
Subject: Re: RE: IDS vs. IPS deployment feedback
Date: 23 Mar 2006 19:51:40 -0000 



1. Immature Technology

IPS is far from immature. (snip)


Its's more to technology maturity than just time. 
It must have been in used as well :)
And it hasn't really been used afaik on a larger scale for the last two years 
or so.


2. False Positives
This is ultimately an issue of tuning.  (snip)

As far as I am concerned there isn't much difference between IDS and IPS in the 
number of false positives. 


If you think you're going to drop an IPS inline, >>slap some rules on it, and 
never touch it again >>- you shouldn't be getting an IPS. (snip)


Or an IDS for that matter...


And frankly, what is worse - a few POSSIBLE >>disruptions due to false 
positives, or getting >>hacked and 0wn3d and losing your business.


I for one worry more about downtime than getting hacked. If I am are well 
organised, patched and secured in depth, the possibility for getting
hacked is very low. A 'leet hacker would probably operate under a IPS/IDS 
detectonrange anyway.



With an IPS, when you see a really nasty alert, >>you can take note and move 
along, because you >>know the IPS blocked it. 


BEFORE you add an rule to your IPS/IDS you patch for the vulnerability it 
detects and /or make sure
it doesn't pass your firewall. Then you don't need any IPS to block it.


Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak excuse.


By adding IPS, you open up for DoS attacks that was not there before. Why 
increase risk when you really do not have to ? Imho it is IPS that is WAY 
overhyped :)



IDS Dead?



IDS may not be dead, but its value is >>diminishing.


IDS may be passive but an security analyst who knows his job is not. In fact by 
placing a IPS in your network you might even introduce false sense of security 
into your organisation.

"Oh, I thought the IPS was supposed to blocked that"



The unexamined IDS is not worth having, to >>paraphrase good old Socrates.


But the unexamined IPS is ???!



These are, of course, my opinions. And >>naturally, I have a vested interest 
in people >>buying more IPSs - because I sell them.


I rest my case :)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IPS market 2006 analysis, l_touitou1
Next by Date:  Re: IDS vs. IPS deployment feedback, Stefano Zanero
Previous by Thread:  RE: IDS vs. IPS deployment feedback, Cojocea, Mike (IST)
Next by Thread:  RE: RE: IDS vs. IPS deployment feedback, Andrew Plato
Indexes:  [Date] [Thread] [Top] [All Lists]