Sorry, my last email managed to escape from my draft folder before I'd finished, it was a long day!
My suggestion would be a compromise (no pun intended), test products on a dev network and whittle down the contenders you will find showstoppers for certain Products that would eliminate them from further testing. I'd be cautious about testing on a live network, however, I would suggest most strongly that you do NOT purchase without having tried the product on a live network. As mentioned by others you can reduce the risk by deploying a passive policy. Check out the false positive rate ensure that it is tolerable, but give the product a fair chance and devote a great deal of time to tuning, a major requirement is to be able to tune the IPS in an extremely granular fashion, minimizing the reduction in sensitivity that tuning brings. Hope this helps Andy cuff > VT, > > Andy Cuff > Chief Technology Officer > Computer Network Defence Ltd > http://www.securitywizardry.com > > 07010 709014 > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: 29 October 2005 20:40 > > To: [email protected] > > Subject: Re: Intrusion Prevention requirements document > > > > Another question for everyone, > > When you brought in each vendor for evaluation, did you configure a test > > network for them or did you use your production network? My 1st concern > > is keeping my job :o) If I test in production, I could impact > production > > traffic. If I don't test in production, how can I best ensure that I > > won't have problems with custom applications, older IP stacks which could > > be an issue if RFC compliance checks are done, etc. > > The vendor answer is always, "don't turn on blocking and just monitor." > > Is that a reality? I'd like some testimonials to this and some real > life > > instances of what has been done from unbiased sources. > > > > Thanks, > > > > VT > > > > > > > All, > > > > > > I work on a team that manages signature and behavioral based intrusion > > detection > > > systems today. We have been tasked with reviewing IPS (or whatever > > vendor name > > > acronym you prefer) in '06. Our normal process is to put together a > > base > > > requirements document to weed out vendors in the first round through a > > paper > > > exercise and then bring in the best we can identify. My question is, > > has > > > anyone developed a matrix that identifies key qualifiers in an IPS > > solution > > > (e.g. in-line, fails open/closed, reporting features, etc.). If so, > > could you > > > provide links or the documents? > > > > > > If not, what categories are most significant to consider in your > expert > > > opinions? What reasons did you choose the solution you have? What > > would you > > > consider if you had to choose over again, etc? > > > > > > Thanks in advance for your responses. > > > > > > VT > > > > > > ---------------------------------------------------------------------- > -- > > > Test Your IDS > > > > > > Is your IDS deployed correctly? > > > Find out quickly and easily by testing it > > > with real-world attacks from CORE IMPACT. > > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- > ids_040708 > > > to learn more. > > > ---------------------------------------------------------------------- > -- > > > > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
