<snip> Firewalls and IPS has the same characteristics in that if either one stops working, traffic goes down as well. So by installing an IPS you have two devices that can stop your connection. By using an IDS you only have one device (the firewall) that can shut down your network. </snip> The above statement isn't entirely correct. Most modern IPS have a 'fail-over' feature that allows traffic to pass even if the IPS is overloaded or powered off. If deployed correctly an IPS should not completely shut down a network.
One of the misconceptions some people have is to believe that deploying and maintaining an IPS requires less work than an IDS. Both systems require knowledgable personnel to tune and customize the rule sets for their environment. If you don't have the right people for an IDS you won't be able to separate legitimate threats from false-postivies. If you don't have the right people for an IPS you will end up blocking legitimate traffic. To me neither scenario is acceptable. As to the post topic, I've used both IDS and IPS systems and found that a combination of both works well for my environment. IPSes can work well in front of or behind your perimeter firewall. They also work well to separate your DMZ from Corp networks. IDS can work well inside your DMZ or Corp networks. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
