IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 19 Mar 2005 22:57:37 -0500
On Wed, 16 Mar 2005 18:08:12 -0500, Jason <security () brvenik com> wrote:
The IPS cannot be _in_ the networks to be protected and must remain at the borders. This means that you can have systems compromised within the internal borders and still end up with a big mess. An IPS is a useful tool for mitigating nuisance issues and rapidly moving threats only if it can respond before those threats occur. In the case of witty it was the threat. What if those systems had been inline? Defense in depth is the key element and if you combine the FW and the Inline device or not you still have to monitor the networks to really know what is happening.
Earlier Chris Harrington said "IPS / IDS down to the switch port is where I see this heading." I agree with him. Routing and switching products today offer access control via ACLs, firewall feature sets, network-based application recognition (NBAR), context-based access control (CBAC), and so on. I also think Jason has a point. The increased complexity of products which formerly only routed and switched packets makes them targets in their own right. That is why I agree with Jason that products and processes which take independent looks at network activity must remain separate from those performing access control. The single uber-box that performs all network functions will be exceedingly complex and will become attractive and easy prey for intruders. People not monitoring their routers and switches for indicators of compromise will wish they had. Richard http://www.taosecurity.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
- Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 16)
- RE: Has ISS a SOC in Europe? Gregory Bell (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 16)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 19)
- Re: How to choose an IDS/FW MSS provider Thomas H . Ptacek (Mar 23)