Sourcefire's IS3000 is an IPS if employed in that mode.
Joel
On Oct 13, 2005, at 7:31 AM, Tim Holman wrote:
Hi Jonathan,
Wouldn't you rather block bad traffic, rather than detect it?
Most companies are moving away from IDS as a protection mechanism,
because:
1) It only detects, and doesn't effectively block intrusions
2) Problems with false positives, as by using pattern matching
signatures, there is always a chance that these patterns also
appear in valid traffic
3) Management overheads. An IDS can only be a reasonably
effective prevention method if there is someone on hand 24/7 to
monitor logs and take immediate action on intrusions. Even then ,
the intrusion has got in, as admins very rarely use the active
blocking features of an IDS (namely sending RST packets to kill
connections, or modifying upstream ACLs), as these are too likely
to have an effect on valid traffic
4) There is absolutely no protection for rate-based attacks (SYN,
TCP, UDP floods)
5) Without maintaining a L3/4 connection/state table, there is no
way an IDS can be truly stateful. 100% statefulness means that
everything from the initial SYN to the final RST/FIN packet of a
connection is stored in a connection table. This requires the
device to be INLINE, and operating at L3. This is the only way a
protection device can provide effective defence against L3
attacks. An offline IDS cannot do this.
I would recommend looking at IPS products instead, so something
that you can postion inline and get immediate value from.
If you feel the Cisco IDS is getting a little tired, then an IPS
will also help take the load off it, by getting rid of Internet
white noise, providing additional firewall filtering, and also
defence against rate-based attacks.
A true IPS will focus on defining what is GOOD traffic, and
assuming all else is BAD (and dropping it). By doing this, zero-
day attacks can be virtually be eliminated, as they all ultimately
rely on abuse of a valid protocol in the hope of slipping past your
protection mechanisms and onto your network.
This works quite well in conjucntion with an IDS, that focuses on
searching traffic for badness.
Replacing like for like (IDS for IDS) is not going to give you much
value, and even the market analysts are recommending against it.
IDS isn't dead. Far off it, but use it for what it's good for -
DETECTION and FORENSICS, and not as a device that can insure your
network against rate-based and zero-day attacks.
Regards,
Tim
----- Original Message ----- From: "Jonathan Gauntt"
<[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, October 12, 2005 5:57 PM
Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
Hi,
We are currently running a Cisco IDS 4250 that monitors our internal
traffic. We essentially use this device for historical reporting
because we
are a medical oriented facility with at least 100 3rd party
connections to
us besides the 8000 employees.
I am considering upgrading the Cisco IDS 4250 to the XL to handle
higher
throughput but have been evaluating the Sourcefire IS300 and their
RNA
sensor.
I have the ability to purchase the Sourcefire unit or upgrade the
4250.
Sourcefire claims that they are superior with state full IDS
inspection and
an overall better product.
Does anyone have any thoughts on these two products? I have about
$100k in
my budget to spend.
Thanks,
Jonathan
---------------------------------------------------------------------
---
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708
to learn more.
---------------------------------------------------------------------
---
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708 to learn more.
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
