On Wed, 28 Sep 2005 Valdis.Kletnieks@vt.edu wrote:
In a nutshell I would go with Sentivist.
http://www.nfr.com/solutions/download/HotPick-IPS-Review.pdf
For brief summaries of some other products:
http://www.networkintrusion.co.uk/inline.htm
All depends on the inbound packet rate, how fast the IDS is, and how
much RAM you're willing to buy. Just remember that a sufficiently long
queue is in itself a denial of service... ;)
A possible even worse threat is an out of sync admin :O
Just remember to configure the thing sensibly - it's amazing how many
people manage to shoot themselves in the foot, and find out the hard way
that yes, Virginia, there ARE people out there that will forge packets
with the source IP address of the victim's nameserver... ;)
Many IPS' whether it's a HIP or NIP have (or at least should have)
capabilities of assessing "0-day" threats and generating rules off of
them. Even for those *PS products that do, those same "out of sync" admins
will get lost in the sauce no matter what they buy. Personally I think it
becomes the job of the admin to assess threats and stay in tune with
what's going on in the industry. Keep up to date with any new threats and
step it up from there. "THAT" however becomes a bump in the road since too
many admins are lazy.
It's *very* important to talk about definitions - there's waaay too many
people who buy an IDS and think that by hooking it to the net, it
magically becomes an IPS.
Way too many people also have become accustomed to dropping dollars on the
table of INSERT_CORP_HERE thinking they can buy an all inclusive security
solution only to find that it failed.
An equally great number buy some IPS or other, and find out the hard way
that they don't block a 0-day or a new worm.....
I'd say from my own experience that someone WITH experience can craft
their own IPS of an IDS and call it a day saving money for their company
and possibly creating something equal if not better to some products. On
my little network at work I've managed to substitute many products and
appliances for what's freely available on the open source scene with some
carefull thought out and diagrammed programs that I audit pretty much
daily.
There's nothing better for me to be able to modify something too my needs
then it is to sit and wait until vendor_x's next release because they
didn't implement something. It's also better for me to be able to add a
line or two based on some thread of a new attack as opposed to sitting
around and waiting for vendor_x to verify if something is a threat or not.
While I do agree with the statement made "Quite frankly, anybody who
already has a PIX installed and wants to install an IPS needs to quantify
*exactly* what protection the PIX is failing to provide before they go
shopping for anything" to a degree, I also disagree with that statement
since it eludes to the thinking that solely a PIX will save your ass. It
won't, nor will any other firewall, nor will any other product combined
with any OTHER product and so on.
/* REDUNDANT COMMENT */ "You are the weakest link..." People fail
miserably. Products can only do what they're told but no matter how many
acronymed buzzwords you want to throw around "Super Hip Intelligent
Threading", it's still SHIT unless you have the ability do use your own
common sense, experience knowledge, etc.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
"Just one more time for the sake of sanity tell me why
explain the gravity that drove you to this..." Assemblage
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
