Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
From: Jason Haar (Jason.Haar_at_trimble.co.nz)
Date: 10/14/05
- Previous message: Omar A. Herrera: "RE: IDS and Spywares"
- In reply to: Tim Holman: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Next in thread: Joel Esler: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 15 Oct 2005 07:23:59 +1300 To: focus-ids@securityfocus.com
Tim Holman wrote:
> 2) Problems with false positives, as by using pattern matching
> signatures, there is always a chance that these patterns also appear
> in valid traffic
Huh?? "IDS have false positives and IPS don't"??? Yeah - right.
The only way that statement could be true is if the IPS had zero rules
loaded. One of the big differences between IDS and IPS is that an IDS
allows you to run with riskier rules than an IPS. As an IPS blocks - any
False Positive is a Bad Thing. A FP with an IDS is just another alert.
IPS tend to run with a fraction of the rules that an IDS uses. Try
explaining to your HR Manager why your IPS just blocked the payroll
server due to some half-assed antispyware rule. "Conservative" is a word
to use WRT IPS.
> 3) Management overheads. An IDS can only be a reasonably effective
> prevention method if there is someone on hand 24/7 to monitor logs and
> take immediate action on intrusions. Even then , the intrusion has
> got in, as admins very rarely use the active blocking features of an
> IDS (namely sending RST packets to kill connections, or modifying
> upstream ACLs), as these are too likely to have an effect on valid
> traffic
?? An IDS needs to be managed, but an IPS doesn't? Must be turned off
then ;-)
> 4) There is absolutely no protection for rate-based attacks (SYN,
> TCP, UDP floods)
Yup - IPS have paid more attention to that alright.
> 5) Without maintaining a L3/4 connection/state table, there is no way
> an IDS can be truly stateful. 100% statefulness means that everything
> from the initial SYN to the final RST/FIN packet of a connection is
> stored in a connection table. This requires the device to be INLINE,
> and operating at L3. This is the only way a protection device can
> provide effective defence against L3 attacks. An offline IDS cannot
> do this.
>
??? IDS cannot be stateful??? Sorry - they can.
> I would recommend looking at IPS products instead, so something that
> you can postion inline and get immediate value from.
I'd recommend an IPS with IDS functionality myself. Block what you are
confident with, alert on the rest
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
- Previous message: Omar A. Herrera: "RE: IDS and Spywares"
- In reply to: Tim Holman: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Next in thread: Joel Esler: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
