Andrew Plato wrote: > experience. Dropped packets happen when people try to ram 1000mbps > through an IPS rated at 200Mbps.
Really ? And how is the thing "rated" in the first place ? Throughput depends on service time. Service time in a router is of very limited variability, in a firewall may very, in a complex thing such as an IDS/IPS it varies wildly, depending on the traffic mix. So, you should specify WHAT TRAFFIC the IPS is being validated and measured on. Something that most companies won't do. > They simply do not have the time or resources to baby an IDS and perform > intricate security analysis. And so they have the resources to put in-line an unknown device which needs tuning and which could cut off, accidentally, customers from revenue generating services ? > And complex IDSs that generate 10000s > of alerts and stop nothing are quickly ignored when the staff gets busy. Instead, when each of those false alerts turns into a lost customer, no one complains. That's right :) > This is just false. Firewalls and IPS assume much different things. A > firewall is a static set of rules that say what is allowed and what is > not allowed. That's it. A misuse-based IPS is exactly the same thing. There's actually no difference. > An IPS, on the other hand, lets everything through unless it does > something that it knows is bad. Aha ! GREEEEEEEEEAT IDEA ! One of the BESTEST in computer security ! BLACKLISTING ! Slide 1 of "Perimeter security 101" course: always begin from default deny and WHITELIST. Look it up on the CISSP books, Andrew, it's in there somewhere, I'm sure :) > that is exactly what and IPS does. It can look at a stream and say: "its > HIGHLY unlikely that this gargantuan binary package in the middle of a > ISAPI call is normal, so I am going to block it." This is what a good anomaly based, intelligent IPS would do. Unfortunately, there's a shortage of good anomaly based IPS products out there :) Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
