Re: Is IDS/IPS worthless?

[Michael Stone <mstone () mathom us>]

On Tue, Feb 24, 2004 at 11:35:47AM -0500, Xiaoyong Wu wrote:
> admin behind the IDS/IPS devices have to be considered. Without a
> skillful security guy looking at the outputs from the IDS/IPS, the
> IDS/IPS is almost worthless as a monitoring device without real people
> looking at the monitors. 

Far less so, really. A closed circuit TV with a tape loop is useful even
if nobody looks at it, because the log is a handy thing to have after an
event has happened. An unmaintained IDS isn't even that useful because
it won't have up-to-date signatures and won't have any knowledge of
evolving protocols. 

If you step back a little bit this discussion is somewhat amusing--the
choir talking amongst themselves about the absolute need for a strong
tenor section, even for a one-man-band. Comments like "IDS is essential"
just don't make sense. Is IDS essential in some environments? Sure. But
for a small business that doesn't even have a full time IT guy it's a
silly proposition. Even at a not-so-small business IT dollars are finite
and there really just might not be money for IDS--the choice might be
"guy to watch IDS" or "guy to install patch". Are such sites evil
cancers that should be cut off the net? No, of course not. In the real
world there are risks and there are mitigations and sometimes it takes a
hard call to determine where to put resources. IDS dogma (or anti-IDS
dogma) isn't a path to a reasonable solution.

Mike Stone

---------------------------------------------------------------------------
---------------------------------------------------------------------------