Re: ROI on IDS/IPS products

Mon, 02 Mar 2009 11:02:49 -0800 


On Feb 27, 2009, at 4:17 PM, Frank Knobbe wrote:
I think too many people expect to buy an IDS/IPS off the shelf, read the 
manual, get it set up, and think the task is done. IDS/IPS boxes are
tricky and require expertise to properly configure and use. If that
expertise doesn't exist in your organization, hire someone that does
have the expertise and can help not just implementing the IDS/IPS, but
also assist creating a group that can actually manage and use it on a
continuous basis.
This is a problem with the products, not the customers. The problem being that there is still too much IDS thinking inside the IPS. An IDS will tell you lots about what is on your network and what may be a threat or a problem. If you buy an IDS you want lots and lots of information and you should judge the product based on what it can detect and how well the UI allows you to navigate through the massive amount of data that will be logged.
The primary function of an IPS should be prevention. Clearly logs and analysis are interesting to folks that have the time, resources, and expertise to do it. However, these users are few. Most users want a product that will reliably stop "bad" things and let "good" things through. The definition of bad and good will vary based on risk profiles and tolerance for service interruption but that is what initial configuration addresses.
So, I *should* be able to purchase an IPS, read the manual, configure it according to my own risk profile, and then leave it alone. High- risk activity should be blocked. Benign traffic should be let through. Questionable traffic should be logged for later policy reviews. If I do not have the ability to continuously monitor the device then I should not have to do that. The device should regularly download updates and apply them based on my configuration. The only times I should be required to interact with the device are when good traffic is being blocked and I need to figure out why or when I log in to run a report on how well the device is doing.
Don't misunderstand, what I'm asking for is not easy. I used to design and build IDS and then IPS products. I know what the problems are and I know what the solutions are. Perhaps this explains my intolerance for the crap that is currently on the market. What I'm describing is possible with current technology and there are a number of companies that could deliver if they so chose. 

-J

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to