RE: IPS Futures
From: Ed Donegan (danceslikewhiteguy_at_hotmail.com)
Date: 07/22/04
- Previous message: Rob Shein: "RE: IPS Futures"
- Maybe in reply to: Joel M Snyder: "IPS Futures"
- Next in thread: nick black: "Re: IPS Futures"
- Reply: nick black: "Re: IPS Futures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Joel.Snyder@Opus1.COM, focus-ids@securityfocus.com Date: Thu, 22 Jul 2004 12:29:46 -0700
I am curious how even wire speed IPS's analyze fragmented attacks without
introducing network latency. Seems it would be a fairly fundamental problem
for an inline network device.
>From: Joel M Snyder <Joel.Snyder@Opus1.COM>
>To: focus-ids@securityfocus.com
>Subject: IPS Futures
>Date: Mon, 19 Jul 2004 09:40:45 -0700 (MST)
>
>In case anyone is interested in more fuel for the IPS fire, here is an
>article
>that just came out in Information Security. There are several editing
>errors
>specifically related to product examples, but if you'll ignore those (e.g.,
>yes, I know that ForeScout is not host-based), the general concepts might
>be of
>interest.
>
>----
>
>Information Security Magazine
>July 2004
>Inflated Image
>Will intrusion prevention ever live up to its promise?
>BY JOEL SNYDER
>
>Intrusion prevention systems (IPSes) are being touted as the latest,
>greatest
>savior of the network. And why not? Unlike signature-based intrusion
>detection
>systems (IDSes), which passively examine traffic and trigger alerts based
>on
>suspicious packets, IPSes perform intense application-layer inspection and
>actively block identified attacks. Where IDSes are good for
>after-you've-been-hacked forensic analysis, IPSes protect your digital
>backside
>while an attack is in progress.
>
>That's what the marketing brochures say, anyway. The reality,
>unfortunately,
>isn't quite so rosy. The state of the art in IPS is promising but immature
>and
>incomplete. Characteristic of many emerging markets, there's little vendor
>agreement about what IPSes are, what they should do and where they should
>live
>in the network. Some vendors pitch IPSes as perimeter-based devices
>intended to
>replace firewalls. Others position them in front of or behind firewalls in
>a
>belt-and-suspenders topology. Still others say IPSes should reside closer
>to or
>on the host itself, preventing execution of anomalous kernel commands.
>
>On the enterprise front, the potential usefulness of IPSes is diluted by
>infrastructure complexity and the impracticality of deploying them deep
>into
>the network core. IPSes work as advertised when placed inline on a network
>segment in which access control, authentication and authorization are
>already
>carefully monitored and controlled. On large-scale, cross-platform networks
>where this isn't the case, an IPS approach to security is less useful.
>
>Given these realities, what's the future of IPS? In a word: hazy. Before I
>explore what that may mean to you, let's look a closer look at where we are
>today.
> .....
>
>http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss426_art870,00.html
>
>jms
>
>
>Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
>Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX)
>jms@Opus1.COM http://www.opus1.com/jms Opus One
>
>--------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from CORE
>IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
>learn more.
>--------------------------------------------------------------------------
>
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: IPS Futures"
- Maybe in reply to: Joel M Snyder: "IPS Futures"
- Next in thread: nick black: "Re: IPS Futures"
- Reply: nick black: "Re: IPS Futures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
