IDS mailing list archives
RE: IDS evaluations procedures
From: Omar Herrera <oherrera () prodigy net mx>
Date: Fri, 15 Jul 2005 18:58:54 -0500
I totally agree with Adam, the same technology to detect attacks is available to both IPS and IDS; therefore, false positives (and fine-tuning to avoid them) are also inherent to both. Tim might be making more emphasis on the protective nature of IPS, which is understandable; however, I disagree with the "real-world protection against zero-day threats" statement. Even if the IPS triggers on anomaly behavior, I doubt that anyone can guarantee that this kind of protection will be effective against most zero-day threats. IPS is helpful to stop, at least, known attacks, while requiring less attention than with IDS; on the other hand, IDS is helpful to detect a wider range of attacks and incident information with less impact to availability for the systems protected, than with IPS. Besides, the preventive nature of IPS can't always be applied. E.g. a number of unsuccessful login attempts to a server are detected only after the event takes place, and the inline nature of IPS can't protect against this; it can prevent further connections to the affected system though, but then it is being reactive more than preventive right? Detecting new attacks with generic procedures is non-trivial, and an IPS can't guarantee prevention against any new or even some known attacks. These discussions come back again and again, year after year. Maybe we should just accept that, even if some types of security controls have some characteristics and functions that overlap, it doesn't mean that one is better than the other. Let us just accept that they are different tools and argue instead, whether for a particular situation, one of them is better suited for the task (if any). Cheers, Omar Herrera
-----Original Message----- From: Adam Powers Tim, I hate to stir up this whole can of worms (pun alert) and yes I know this is off topic but can you please qualify this seemingly non sequitur statement? "All IDS devices are subject to large numbers of false positives, which is why if you're making a new investment you should consider IPS technology, as this gives you a far lower TCO and real-world protection against zero-day threats." How so? I really struggle with this whole "because it's inline it must be more accurate" thing. Sure, if I turn off a bunch of sigs on the IPS that are less reliable, accuracy will increase. But why not do the same thing on the non-inline IDS?
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS evaluations procedures david . sames (Jul 12)
- Re: IDS evaluations procedures Joel Esler (Jul 13)
- Re: IDS evaluations procedures Fergus Brooks (Jul 15)
- Re: IDS evaluations procedures Whodini (Jul 15)
- <Possible follow-ups>
- RE: IDS evaluations procedures THolman (Jul 13)
- RE: IDS evaluations procedures THolman (Jul 13)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- Re: IDS evaluations procedures Justin . Ross (Jul 17)
- RE: IDS evaluations procedures Omar Herrera (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)