IDS is nothing w/out active monitoring. only probably good for forensic. ALso IDS w/ active functionality has been around for awhile, it just hasn't work 100% (sending Resets, or running custom scripts)
IPS hmm.. you really have to do thorough testing such as bypass functionality (is the box gonna go down when its being patched, when link is lost and such) some vendor's bypass unit doesn't kick in for a good 15 ~30 seconds. some have them built in to the actual IPS (proventia G100) most IDS's will also have a 'simulation mode' where the logs will show that its blocking but its not actually blocking off the connections. IPS's should be treated like firewalls, if an IPS goes down with out a bypass there goes your network... Another thing w/ IPS is u have to have a vendor who is going to release signature updates promptly. Go w/ a protocol anomaly based + stateful signature IPS and a good bypass unit. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
