IMHO I think that as you look at security devices you need to look at what you need to protect and why, as the type of device needed will change depending on what you are trying to do (fairly obvious - but read on !)
The needs of monitoring/protecting changes very much depending on where on the network you are sat and what you want to monitor/protect. When I was at ISS (about 18 month ago now) we used to tout the figures that 70% of attacks come from inside the network, not out (and this was back up by various FBI surveys etc.) However I believe that this has changed quite significantly in the last 12-18 months. With the advent of hybrid worms and more automated attacks we have seen the number and the seriousness of attacks change - now you have about a 60/40 split - or even 70/30 outside to inside. When you are looking to monitor internal users/networks then IDS is the way forward - as the important job is to a) determine what the employee is up to, and b) gather forensic information so that c) you can walk him down to HR and you have enough information for dismissal/warning of whatever your security policy dictates. So when 70% of your attacks are coming from internal users - you need an IDS. However as the types of attacks have changed, so has the response. If we look at the types of attacks that hit a 'gateway' then c80% are Nimda and worm related (i.e. automated attacks focussed on port 80) and DoS/DDoS attacks (SYN Floods etc.) represent about another 10% [These are ISS figures I am using here - check out their State of the Internet Report created by ISS MSS] - so 90% of attacks that hit a gateway tend to be automated and can cause real damage in terms of real cost (Nimda attacks to web servers, worm scans and DDoS attacks eating up valuable bandwidth etc.) and they tend to be a lot of them ! (Av IDS will pick up around 10,000 alerts a night from this time of activity). So when you look to monitor/protect against attacks hitting your gateways - the important thing is not to generate 1000's of alerts telling you about all these automated attacks - but to actually stop them and to protect your assets (servers, bandwidth etc.) ... so enters the IPS (Intrusion Prevention System) An IPS is all about stopping attacks that you can know will not be false positives (URI Worm attacks a good example) - and then just generating summary information - so that you can walk in on a Monday morning, look at the IPS and know that you were attacked (through automated attacks etc.) 10,000 times over the weekend, but none penetrated your gateways. So I guess my point is, if you are looking of an I*S system ask yourself what you want to monitor and why and where ... and this will tend to show you which is the best avenue/product you need (if you want some more info on this, check out the white paper on last e-mail) Cheers Simon ____________________________________________ Simon Edwards Technical Evangelist Top Layer Networks US Office : + 1 508 870 1300 (x230) US Mobile : + 1 617 953 8764 UK Office : + 44 1483 243 549 UK Mobile : + 44 7971 959170 www: www.TopLayer.com email: [EMAIL PROTECTED] "Perfecting the Art of Network Security" -------------------------------------------- -----Original Message----- From: Dan Zubairi [mailto:[EMAIL PROTECTED]] Sent: 26 November 2002 16:32 To: Glenn Ponich Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Intrusion Detection vs Intrusion Prevention There is a correlative difference here. THe key in the whole scheme of IDS, Perimeter Security and the like is to prepare and prevent attacks. So the information and knowledge gained from Intrusion Detection Activities can be used to prepare for and prevent intrusions. For example, lets say you notice 100,000 attacks on port 111 every week. It would be wise to make sure no hostile traffic ever travels over port 111. This is using Detection as an educational and research driven approach for intrusion prevention. -daniel zubairi > With all the posts I have seen lately regarding the subject line is > there a white paper available that explains the difference between the > two and possible pros and cons of each? > TYIA > > Glenn Ponich > Network Security Administrator > Sierra Telephone > [EMAIL PROTECTED] > > > <-----------------------------------> Daniel F. Zubairi, Managing Partner SydanTech LLC ------------------------------------ 7272 Wisconsin Avenue, Suite 300 Bethesda, MD 20814 ------------------------------------ PH: 301-530-8590 FX: 240-363-0659 CL: 240-832-5279 <-----------------------------------> _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
