Hi..
my views are embedded in the text below,,,
At 09:58 PM 3/29/2006, [EMAIL PROTECTED] wrote:
The title of the discussion is IDS vs. IPS deployment feedback.
Both IDS and IPS are not stronger nor weaker than the rules that controls
them.
As far as I know you could run the same type of rules (signature and/or
anomali based)
on an IDS as on an IPS. Thus an IDS could detect any network or host
activity as well as an IPS could.
The main difference is in what you do with the information. I rather have
an experienced analyst implementing the security policy rather than a
machine. Most of the IDS has implemented ways to stop traffic through the
firewall.
AFAIK it hasn't been much used because it opens up a considerable DoS
vulnerablility. If I know
what rules shut down connections, I can craft packets that shuts down
valid connections.
I think it is the place where an IPS differs from IDS+firewall combination.
Whenever an IDS detects some suspicious packets from a spoofed IP (sent by
some attacker), it directs firewall to form ACL to stop that connection.
this ACL is not dynamic (correct me, if I am wrong here). therefore, if the
same IP is used by some genuine users later on, the access is denied on the
basis of that ACL i.e. DoS. Now in case of IPS, the decision is taken on
per packet per connection. So, if some IP is used by some attacker to
launch some attack, it is blocked, where as the same IP is allowed if it is
used by some genuine user. There is no static ACLs in IPS. Of course, you
can always define rules on the basis of IP port combination, which work
just like ACLs.
But still I believe that even we are using IPS, we can't ignore IDS. the
reason is- we still don't have 100% confidence on attack detection. There
are false positives. As IPS is inline device (in most of the deployment),
wrong rules will affect the traffic. Therefore, an IDS should be running
with all the rules, whereas IPS should be loaded only with rules about
which we are high confident.
I shall be happy to know others views on this.
regards
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
If installed correctly, an IDS is an network/host recording device that is
very resistant to evidence manipulation. More so at least than an IPS that
must be installed inline.
Firewalls and IPS has the same characteristics in that if either one stops
working, traffic goes down as well. So by installing
an IPS you have two devices that can stop your connection. By using an IDS
you only have one device (the firewall) that can
shut down your network.
>This is like saying, "by buying a car, you open >yourself up to an auto
>accident." Well, sure. There is risk in >everything. Its absurd to think
>that just because something has risk, its >useless.
I would rather buy a cheap car that I can steer myself than trusting an
expensive car
running on autopilot :)
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
