Tim Holman wrote:
2) Problems with false positives, as by using pattern matching
signatures, there is always a chance that these patterns also appear
in valid traffic
Huh?? "IDS have false positives and IPS don't"??? Yeah - right.
The only way that statement could be true is if the IPS had zero rules
loaded. One of the big differences between IDS and IPS is that an IDS
allows you to run with riskier rules than an IPS. As an IPS blocks - any
False Positive is a Bad Thing. A FP with an IDS is just another alert.
IPS tend to run with a fraction of the rules that an IDS uses. Try
explaining to your HR Manager why your IPS just blocked the payroll
server due to some half-assed antispyware rule. "Conservative" is a word
to use WRT IPS.
3) Management overheads. An IDS can only be a reasonably effective
prevention method if there is someone on hand 24/7 to monitor logs and
take immediate action on intrusions. Even then , the intrusion has
got in, as admins very rarely use the active blocking features of an
IDS (namely sending RST packets to kill connections, or modifying
upstream ACLs), as these are too likely to have an effect on valid
traffic
?? An IDS needs to be managed, but an IPS doesn't? Must be turned off
then ;-)
4) There is absolutely no protection for rate-based attacks (SYN,
TCP, UDP floods)
Yup - IPS have paid more attention to that alright.
5) Without maintaining a L3/4 connection/state table, there is no way
an IDS can be truly stateful. 100% statefulness means that everything
from the initial SYN to the final RST/FIN packet of a connection is
stored in a connection table. This requires the device to be INLINE,
and operating at L3. This is the only way a protection device can
provide effective defence against L3 attacks. An offline IDS cannot
do this.
??? IDS cannot be stateful??? Sorry - they can.
I would recommend looking at IPS products instead, so something that
you can postion inline and get immediate value from.
I'd recommend an IPS with IDS functionality myself. Block what you are
confident with, alert on the rest
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
