Gary Golomb wrote:
> An IPS is not an extension of an IDS, it's an
> extension of a firewall. And, that does NOT mean a
> firewall with an IDS on/next to it.
In my mind's eye, an IPS and an IDS are essentially
the same technology with one big difference.
For attack scenarios which are identifiable both
a reasonably short time, *and* with a high degree
of certainty, the IPS will be expected to shut down
(or otherwise respond to) the connection.
As Gary points out, an IPS doesn't have the luxury
of responding to some kinds of incidents -- either because
they have too high of a false-positive rate (even .1% can
be highly problematic with high enough traffic of certain
types), or because by the time you realize what's going on,
the attack may have already done it's dirty work.
Although it doesn't hurt to have two different methodologies
between the IPS and IDS to recognize similar attacks, my gut
feeling is that if your IPS is bocking something that your IDS
wouldn't report, then you have one of two problems:
1) your IPS is blocking on false positives (generally bad)
2) Your IDS is set to be too insensitive (bad, as a corollary
to Gary's comments).
I see an IPS as testing for that subset of IDS-recognizable
issues that can be meaningfully responded to in the moment,
with the addition of triage algorithms to decide whether
it's serious enough for an automated response. The last
bit would be a choice of response mechanisms for different
attacks.
--
Stephen Samuel +1(604)876-0426 samuel (at) bcgreen (dot) com [email concealed]
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bring it to life.
------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
-------
> An IPS is not an extension of an IDS, it's an
> extension of a firewall. And, that does NOT mean a
> firewall with an IDS on/next to it.
In my mind's eye, an IPS and an IDS are essentially
the same technology with one big difference.
For attack scenarios which are identifiable both
a reasonably short time, *and* with a high degree
of certainty, the IPS will be expected to shut down
(or otherwise respond to) the connection.
As Gary points out, an IPS doesn't have the luxury
of responding to some kinds of incidents -- either because
they have too high of a false-positive rate (even .1% can
be highly problematic with high enough traffic of certain
types), or because by the time you realize what's going on,
the attack may have already done it's dirty work.
Although it doesn't hurt to have two different methodologies
between the IPS and IDS to recognize similar attacks, my gut
feeling is that if your IPS is bocking something that your IDS
wouldn't report, then you have one of two problems:
1) your IPS is blocking on false positives (generally bad)
2) Your IDS is set to be too insensitive (bad, as a corollary
to Gary's comments).
I see an IPS as testing for that subset of IDS-recognizable
issues that can be meaningfully responded to in the moment,
with the addition of triage algorithms to decide whether
it's serious enough for an automated response. The last
bit would be a choice of response mechanisms for different
attacks.
--
Stephen Samuel +1(604)876-0426 samuel (at) bcgreen (dot) com [email concealed]
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bring it to life.
------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
-------
[ reply ]