Re: IPS, alternative solutions

From: Andy Cuff (lists_at_securitywizardry.com)
Date: 09/16/04

  • Next message: Jason Haar: "Re: IPS, alternative solutions" 
    To: "Daniel" <deeper@gmail.com>, <focus-ids@securityfocus.com>
Date: Thu, 16 Sep 2004 17:32:47 +0100

    Hi Daniel,
    Most if not all organisations that use IPS do so smartly, in that, they
    consider the likelihood of a false positive for every signature and vary the
    response to that signature accordingly

    -andy cuff
    Talisker's Computer Security Portal
    Computer Network Defence Ltd
    http://www.securitywizardry.com
    ----- Original Message -----
    From: "Daniel" <deeper@gmail.com>
    To: <focus-ids@securityfocus.com>
    Sent: Tuesday, September 14, 2004 11:01 AM
    Subject: IPS, alternative solutions

    >
    >
    > So far there has been a load of talk discussing which is the better
    technology. Personally i dont think IPS is ready for the big time. Yeah its
    great for small mum and dad networks, but for large financial networks with
    billions of pounds flowing across them, would you trust a technology to
    think and block what it seems as bad traffic?
    >
    >
    >
    > So what are the alternatives?
    >
    > I'd say more host based protection such as:
    >
    >
    >
    > - Stack protection
    >
    > - Application level firewalls (ModSecurity/SecureIIS)
    >
    > - Host based firewalls
    >
    >
    >
    > I'm interested to see what everyone else feels are alternatives to IPS
    >
    >
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    > --------------------------------------------------------------------------
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Jason Haar: "Re: IPS, alternative solutions"

    Relevant Pages

    • Re: ROI on IDS/IPS products
      ... Because risk - or more specifically, risk appetite - is a business measurement of business functions. ... Even if the technical capabilities of IPS were perfect, ... If my pretend IPS existed then I'd configure it to only block HTTP traffic if the vendor has rated the signature as being 95% reliable or better. ... How many times have you seen activity that's legit on one network be a sign of something dangerously wrong on another? ...
      (Focus-IDS)
    • Re: Wishlist for IPS Products
      ... Most of the fetaures are common across IDS, ... signature have to be robust and accurate in all three cases. ... IPS products give provision for ... Inline products give quite a bit of advantage ...
      (Focus-IDS)
    • Re: Cisco IPS dropping packets
      ... IPS fail closed is disabled ... Signature Micro-Engine: OTHER ... SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF ... Signature Micro-Engine: STRING.UDP (1 sigs) ...
      (comp.dcom.sys.cisco)
    • Re: Vulnerability & Exploit Signatures
      ... IPS signature names would ofcourse be same ha! ... So if a vulnerability comes with xyz name every IPS ... vendor will come-up with a signature for xyz. ... IPS to block zero day attack. ...
      (Focus-IDS)
    • Re: Cisco IPS dropping packets
      ... IPS fail closed is disabled ... Signature Micro-Engine: OTHER ... SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF ... Signature Micro-Engine: STRING.UDP (1 sigs) ...
      (comp.dcom.sys.cisco)