IDS mailing list archives
Re: question related to focus-ids (IPS/IDS "inside" the firewall)
From: Joel M Snyder <Joel.Snyder () Opus1 COM>
Date: Wed, 05 Dec 2007 11:58:32 -0700
Anderson, Derick wrote:
Joel, thanks for providing your IPS assessment - it was hugelybeneficial.Do you see, in general, any benefit to having an IDS monitoring traffic when there's an IPS at the gateway? The reason I ask is because of your comment about turning on IDS inside the firewall (although you also mentioned that Cisco has a separate processor for IDS). As I see it, an IDS serves a different purpose than an IPS, which is auditing. For example, I set up my IPS in "sane" mode and I set up a separate IDS behind that which should only trigger on stuff the IPS misses. To me, that kind of setup can have value, I was just wondering what your
> thoughts were on that. Derick: Yes, I very much think that there is a need for IDS even when you have IPS. I think that my words were not as precise as they should have been. When I said that you should not run "IDS inside the firewall," I did not mean "IDS topologically inside of the firewall" but "IDS actually incorporated inside of the firewall itself." I re-read my post and see how it could easily be misinterpreted. But since IDS and IPS are two VERY different things (one blocks known attacks; the other is a security problem detection and network visibility tool), I think that there is room for both. In fact, we run both: IPS out at the edge near the firewall (don't have any of those fancy UTM firewalls ourselves :-(), and IDS closer to the things I "care" about. So I'm in total agreement with you. Sorry if I wrote poorly and didn't make that clear. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms () Opus1 COM http://www.opus1.com/jms ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: question related to focus-ids (IPS/IDS "inside" the firewall) Joel M Snyder (Dec 07)