IDS mailing list archives
IPS Futures
From: Joel M Snyder <Joel.Snyder () Opus1 COM>
Date: Mon, 19 Jul 2004 09:40:45 -0700 (MST)
In case anyone is interested in more fuel for the IPS fire, here is an article that just came out in Information Security. There are several editing errors specifically related to product examples, but if you'll ignore those (e.g., yes, I know that ForeScout is not host-based), the general concepts might be of interest. ---- Information Security Magazine July 2004 Inflated Image Will intrusion prevention ever live up to its promise? BY JOEL SNYDER Intrusion prevention systems (IPSes) are being touted as the latest, greatest savior of the network. And why not? Unlike signature-based intrusion detection systems (IDSes), which passively examine traffic and trigger alerts based on suspicious packets, IPSes perform intense application-layer inspection and actively block identified attacks. Where IDSes are good for after-you've-been-hacked forensic analysis, IPSes protect your digital backside while an attack is in progress. That's what the marketing brochures say, anyway. The reality, unfortunately, isn't quite so rosy. The state of the art in IPS is promising but immature and incomplete. Characteristic of many emerging markets, there's little vendor agreement about what IPSes are, what they should do and where they should live in the network. Some vendors pitch IPSes as perimeter-based devices intended to replace firewalls. Others position them in front of or behind firewalls in a belt-and-suspenders topology. Still others say IPSes should reside closer to or on the host itself, preventing execution of anomalous kernel commands. On the enterprise front, the potential usefulness of IPSes is diluted by infrastructure complexity and the impracticality of deploying them deep into the network core. IPSes work as advertised when placed inline on a network segment in which access control, authentication and authorization are already carefully monitored and controlled. On large-scale, cross-platform networks where this isn't the case, an IPS approach to security is less useful. Given these realities, what's the future of IPS? In a word: hazy. Before I explore what that may mean to you, let's look a closer look at where we are today. ..... http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss426_art870,00.html jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms () Opus1 COM http://www.opus1.com/jms Opus One -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IPS Futures Joel M Snyder (Jul 20)
- <Possible follow-ups>
- RE: IPS Futures M Shirk (Jul 22)
- RE: IPS Futures Rob Shein (Jul 25)
- RE: IPS Futures Ed Donegan (Jul 25)
- Re: IPS Futures nick black (Jul 26)