Actually... It is either or when it comes to being in-line. Why you ask? 1) Cost and 2) Infrastructure... both of which I have to fight for. From a cost perspective... I can deploy IDS without really purchasing anything new... I recycle some hardware, put on Linux and throw snort on it and I am good to go. IPS... I don't think so.
Infrastructure wise... its a much easier sell to deploy passive taps that just copy data than it is to put an IPS inline which can possibly have a bad affect on traffic. I would prefer both... IDS inline with IPS to use as validation of IPS blocking or to be able to more adequately create IPS signatures (by taking packet captures with ethereal or something). -Hassan --- Frank Knobbe <[EMAIL PROTECTED]> wrote: > > but I'll take IPS wherever I can > > get it thank you. If one can't afford IPS... then > I > > guess going the forensics only route is better > than > > nothing. > > If you can't get apple you take an orange? Remember, > these are different > tools. You can very well have an IPS as a filter and > an IDS to verify > that the filter works. It's not an either-or > situation. Different tools > for a different job. > > > Cheers, > Frank > > > -- > Ciscogate: Shame on Cisco. Double-Shame on ISS. > Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
