Re: IDS vs Application Proxy Firewall

[Stefano Zanero <zanero () elet polimi it>]

"Zow" Terry Brugger wrote:

> Absolutely, which I think underscores the point I was driving at, but
> never actually said, which is that the difference between the devices
> is primarily that of what network layer it's operating at. 

Then we apparently disagree, but agree in the substance :)

> to IPS, and I'd be hard pressed to name a network IDS that didn't have
> an active response version or add-on.

But as Renaud Bidou pointed out in a great presentation which I cannot
currently find, an IPS has substantially different focuses from an IDS,
and therefore its evaluation ought to be handled completely differently.

(found it: www.iv2-technologies.com/~rbidou/HowToTestAnIPS.pdf)
> research systems using more advanced techniques. Of course, we don't
> currently have the means to quantitatively test such systems, which is
> where my current research interests lie.

We don't have a way to meaningfully test any IDS system, for that:
http://www.first.org/conference/2007/papers/zanero-stefano-paper.pdf

So any further thought to that area is definitely welcome :)

SZ

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------