>>1. Immature Technology >> >>IPS is far from immature. (snip)
Its's more to technology maturity than just time. It must have been in used as well :) And it hasn't really been used afaik on a larger scale for the last two years or so. >>2. False Positives >>This is ultimately an issue of tuning. (snip) As far as I am concerned there isn't much difference between IDS and IPS in the number of false positives. >>If you think you're going to drop an IPS inline, >>slap some rules on it, and >>never touch it again >>- you shouldn't be getting an IPS. (snip) Or an IDS for that matter... >>And frankly, what is worse - a few POSSIBLE >>disruptions due to false >>positives, or getting >>hacked and 0wn3d and losing your business. I for one worry more about downtime than getting hacked. If I am are well organised, patched and secured in depth, the possibility for getting hacked is very low. A 'leet hacker would probably operate under a IPS/IDS detectonrange anyway. >>With an IPS, when you see a really nasty alert, >>you can take note and move >>along, because you >>know the IPS blocked it. BEFORE you add an rule to your IPS/IDS you patch for the vulnerability it detects and /or make sure it doesn't pass your firewall. Then you don't need any IPS to block it. >>Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak excuse. By adding IPS, you open up for DoS attacks that was not there before. Why increase risk when you really do not have to ? Imho it is IPS that is WAY overhyped :) >>IDS Dead? >>IDS may not be dead, but its value is >>diminishing. IDS may be passive but an security analyst who knows his job is not. In fact by placing a IPS in your network you might even introduce false sense of security into your organisation. "Oh, I thought the IPS was supposed to blocked that" >>The unexamined IDS is not worth having, to >>paraphrase good old Socrates. But the unexamined IPS is ???! >>These are, of course, my opinions. And >>naturally, I have a vested interest >>in people >>buying more IPSs - because I sell them. I rest my case :) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
