<snip>
Firewalls and IPS has the same characteristics in that if either one stops
working, traffic goes down as well. So by installing
an IPS you have two devices that can stop your connection. By using an IDS you
only have one device (the firewall) that can
shut down your network.
</snip>
The above statement isn't entirely correct. Most modern IPS have a 'fail-over'
feature that allows traffic to pass even if the IPS is overloaded or powered
off. If deployed correctly an IPS should not completely shut down a network.
One of the misconceptions some people have is to believe that deploying and
maintaining an IPS requires less work than an IDS. Both systems require
knowledgable personnel to tune and customize the rule sets for their
environment. If you don't have the right people for an IDS you won't be able
to separate legitimate threats from false-postivies. If you don't have the
right people for an IPS you will end up blocking legitimate traffic. To me
neither scenario is acceptable.
As to the post topic, I've used both IDS and IPS systems and found that a
combination of both works well for my environment. IPSes can work well in
front of or behind your perimeter firewall. They also work well to separate
your DMZ from Corp networks. IDS can work well inside your DMZ or Corp
networks.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
