The title of the discussion is IDS vs. IPS deployment feedback.
Both IDS and IPS are not stronger nor weaker than the rules that controls them.
As far as I know you could run the same type of rules (signature and/or anomali
based)
on an IDS as on an IPS. Thus an IDS could detect any network or host activity
as well as an IPS could.
The main difference is in what you do with the information. I rather have an
experienced analyst implementing the security policy rather than a machine.
Most of the IDS has implemented ways to stop traffic through the firewall.
AFAIK it hasn't been much used because it opens up a considerable DoS
vulnerablility. If I know
what rules shut down connections, I can craft packets that shuts down valid
connections.
If installed correctly, an IDS is an network/host recording device that is very
resistant to evidence manipulation. More so at least than an IPS that must be
installed inline.
Firewalls and IPS has the same characteristics in that if either one stops
working, traffic goes down as well. So by installing
an IPS you have two devices that can stop your connection. By using an IDS you
only have one device (the firewall) that can
shut down your network.
This is like saying, "by buying a car, you open >yourself up to an auto
accident." Well, sure. There is risk in >everything. Its absurd to think
that just because something has risk, its >useless.
I would rather buy a cheap car that I can steer myself than trusting an
expensive car
running on autopilot :)
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
