Re: Changes in IDS Companies?
From: Aaron Turner (aturner@pobox.com)Date: 10/26/02
- Previous message: A.S.Rajendran: "Re: Changes in IDS Companies?"
- In reply to: A.S.Rajendran: "Re: Changes in IDS Companies?"
- Next in thread: Matt Harris: "Re: Changes in IDS Companies?"
- Next in thread: Marcus J. Ranum: "Re: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Oct 2002 17:29:13 -0700 From: Aaron Turner <aturner@pobox.com> To: focus-ids@securityfocus.com
On Fri, Oct 25, 2002 at 02:35:58PM +0530, A.S.Rajendran wrote:
<snip>
> Inline IPS has the ability to block the suspicious traffic. But it has
> performance penalties. NIDS cannot effectively block the traffic. But it
> will not degrade the network performance. We should use the positive points
> of both.
> Inline IPS method should be used to block traffic with protocol anomaly
> and to block some suspicious packet temporary by using signatures until
> some patch is available to the vulnerable services. NIDS can be used to
> monitor all the traffic and generate a log message for all suspicious
> packets. HIDS can be used for detecting repeated failed access attempts or
> changes to critical system files.
See, that's something I don't get... If the inline IPS (NIPS) device has
to process all the traffic in order to determine what to block, why
have a NIDS which just has to re-process the same traffic all over again?
Generating log messages is a tiny fraction of the CPU required to actually
process the packets, there just doesn't seem in my mind at least any
justification to owning both NIPS and NIDS.
I can understand not trusting a NIPS enough to deploy it (for reliability,
performance, or accuracy reasons), but if you do deploy it, there doesn't
seem to be a need for a traditional NIDS... well unless the NIPS you choose
just plain sucks at finding attacks, in which case, why did you buy the NIPS
in the first place?
Defense in depth doesn't mean deploying EVERYTHING the market has to offer,
it means properly choosing a solution (not to mean a single product or
vendor) which provides the security which best defends against your
threat model.
-- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/aturner They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklinpub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery.
- application/pgp-signature attachment: stored
- Previous message: A.S.Rajendran: "Re: Changes in IDS Companies?"
- In reply to: A.S.Rajendran: "Re: Changes in IDS Companies?"
- Next in thread: Matt Harris: "Re: Changes in IDS Companies?"
- Next in thread: Marcus J. Ranum: "Re: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
