RE: Alarm response strategies

From: Richard Bejtlich (taosecurity_at_gmail.com)
Date: 07/27/04

  • Next message: Frank Knobbe: "RE: Alarm response strategies" 
    Date: Tue, 27 Jul 2004 16:28:56 -0400
To: focus-ids@securityfocus.com

    Rob Shein wrote:

    "What I do see happening is for IPS and IDS to converge to some
    degree, so that we can have the larger alert capability of an IDS
    combined with the proactive (couldn't think of a better word to offset
    reactive...just plain active, perhaps?) capability of an inline IPS." 

    --
If I could have one wish granted, it would be for the IPS to be
recognized as a layer 7 firewall, and not compared to an IDS.
If there's convergence ahead (and I agree with you that there is),
let's see the IPS merge into the access control device known as the
firewall.
I want my network audit device to perform no access control at all,
unless in absolutely dire emergencies.
We already see "convergence" multipurpose boxes that are
switches/routers/VPN concentrators/firewalls/wireless
gateways/anti-virus/IDS/etc., but this is more for small shops in my
opinion.  Conceptually speaking an IPS is an access control device and
an IDS is a network audit device.
Sincerely,
Richard
http://www.taosecurity.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
  • Next message: Frank Knobbe: "RE: Alarm response strategies"

    Relevant Pages

    • RE: Recent Gartner IDS/IPS report
      ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... combinations that operating systems and applications respond improperly ... IDS alerts / second - Correlation - Virtualization ... any IPS has to do IDS first. ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... If you take a proper IPS, and by that I don't mean an IDS that has been ... followed by rate limiting and Layer 4 checks before it ...
      (Focus-IDS)
    • RE: Intrusion Prevention Systems
      ... It seems were calling an reactive IDS and IPS. ... In reality, BlackICE Guard ... IPS is hardly a "test lab device" or unproven technology. ...
      (Focus-IDS)
    • RE: IDS evaluations procedures
      ... An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com this will stop a significant proportion of HTTP noise before signature matching. ... Conversely with IDS you just don’t have the ability to white list traffic in this way, I guess you could RST any request that didn’t match the URL but I think fragmented buffer overflows and the like could sneak through - so it’s risky. ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ...
      (Focus-IDS)
    Loading