|
IDS
mailing list archives
Re: RE: IDS vs. IPS deployment feedback
From: Jean-Philippe Luiggi <jp.luiggi () free fr>
Date: Thu, 30 Mar 2006 09:56:18 -0500
On Wed, Mar 29, 2006 at 06:50:57PM +0530, Devdas Bhagat wrote:
On 28/03/06 08:46 -0800, Andrew Plato wrote:
An IPS looks at stuff on the wire, decides what is bad, and blocks it.
A real firewall looks at stuff on the wire, decides what is good, and
allows it. A real firewall hooks into everything (servers, network
equipment, desktops...).
Once you have a firewall in place, you need a system which analyses logs
and traffic which gets through your firewall.
Also - you cannot patch your way to security. Patching merely plugs the
holes you know about. There are, at any given time, hundreds if not
thousands of holes you don't know about. Good IPS manufacturers are
deploying protections before exploits hit the public.
Hello All,
I agree with both of you.
Running a network without both passive and dynamic protections makes no sense.
After all, the so called "defense in depth" concept is well known.
The main problem (i see) with both IPS/IDS is the tuning, running the correct "up
to date" rules is mandatory, we rely on them.
But we may (too) add another layer, something likes "NBAD" solutions,
detecting abnormal traffic may be worth. Imagine a spyware running some sort
of tunneling over https. How both IDS/IPS will detect this one ? is is
possible ?
I think we may (speaking at the wire level) use a good mix with all the
solutions we saw.
Best regards.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: IDS vs. IPS deployment feedback, (continued)
|
Intro
