IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hi, I want to study IPS

From: Greg Martin <greg () ddos com>
Date: 14 May 2004 18:13:02 -0000
In-Reply-To: <000101c438ab$3fda2300$9b97a8c0@cleoa>



IDS and IPS are using the same tools and same abilities. They are
actually the same. IPS came out as a "catch phrase" as a "different"
solution than IDS. Please refer to the recent posting from "Frank
Knobbe" and "Jason" as a reference. Don't get fooled in terminology
and remember there is no "one" solution. Many of us use 4 or 5 types
of systems to pull everything together into an IDS solution. Best of
luck with your task. HAGO.


Wil Veno
wjveno () shaw ca
shawn () whitehats ca


Wil, you are right that some IPS products use similar techniques as IDS (inline packet filtering with patterns) but not 
all of them use that technique.  Some vendors use a baseline of the network and take action if the baseline changes 
drasticly.  Some use a 'negative space' technique which allows only valid traffic and considers all other traffic as a 
dos and drops it completely.  The main diference is that IPS takes action as proactively as possible were an IDS is 
designed to monitor and alert.  You can modify some IDS systems to have IPS features with varying results but if we 
don't have them catagorized with different names it would be rather confusing.  You should never try to have one 
machine do everything, that not only limits your functionality but creates a single point of failure.  Where a IDS can 
have sensors all over the network and external links, you generally only want an IPS protecting your border.

Greg


---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: