IPS Futures

[Joel M Snyder <Joel.Snyder () Opus1 COM>]

In case anyone is interested in more fuel for the IPS fire, here is an article
that just came out in Information Security.  There are several editing errors
specifically related to product examples, but if you'll ignore those (e.g.,
yes, I know that ForeScout is not host-based), the general concepts might be of
interest.

----

Information Security Magazine
July 2004
Inflated Image
Will intrusion prevention ever live up to its promise?
BY JOEL SNYDER

Intrusion prevention systems (IPSes) are being touted as the latest, greatest
savior of the network. And why not? Unlike signature-based intrusion detection
systems (IDSes), which passively examine traffic and trigger alerts based on
suspicious packets, IPSes perform intense application-layer inspection and
actively block identified attacks. Where IDSes are good for
after-you've-been-hacked forensic analysis, IPSes protect your digital backside
while an attack is in progress.

That's what the marketing brochures say, anyway. The reality, unfortunately,
isn't quite so rosy. The state of the art in IPS is promising but immature and
incomplete. Characteristic of many emerging markets, there's little vendor
agreement about what IPSes are, what they should do and where they should live
in the network. Some vendors pitch IPSes as perimeter-based devices intended to
replace firewalls. Others position them in front of or behind firewalls in a
belt-and-suspenders topology. Still others say IPSes should reside closer to or
on the host itself, preventing execution of anomalous kernel commands.

On the enterprise front, the potential usefulness of IPSes is diluted by
infrastructure complexity and the impracticality of deploying them deep into
the network core. IPSes work as advertised when placed inline on a network
segment in which access control, authentication and authorization are already
carefully monitored and controlled. On large-scale, cross-platform networks
where this isn't the case, an IPS approach to security is less useful.

Given these realities, what's the future of IPS? In a word: hazy. Before I
explore what that may mean to you, let's look a closer look at where we are
today.
 .....

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss426_art870,00.html

jms


Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)  
jms () Opus1 COM    http://www.opus1.com/jms    Opus One

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------