Re: question related to focus-ids (IPS/IDS "inside" the firewall)

Anderson, Derick wrote:
Joel, thanks for providing your IPS assessment - it was hugely
beneficial.

Do you see, in general, any benefit to having an IDS monitoring traffic
when there's an IPS at the gateway? The reason I ask is because of your
comment about turning on IDS inside the firewall (although you also
mentioned that Cisco has a separate processor for IDS). As I see it, an
IDS serves a different purpose than an IPS, which is auditing. For
example, I set up my IPS in "sane" mode and I set up a separate IDS
behind that which should only trigger on stuff the IPS misses.

To me, that kind of setup can have value, I was just wondering what your
> thoughts were on that.

Derick:


Yes, I very much think that there is a need for IDS even when you
have IPS. I think that my words were not as precise as they
should have been.

When I said that you should not run
"IDS inside the firewall," I did not mean
"IDS topologically inside of the firewall" but
"IDS actually incorporated inside of the firewall itself."

I re-read my post and see how it could easily be misinterpreted.

But since IDS and IPS are two VERY different things
(one blocks known attacks; the other is a security problem
detection and network visibility tool), I think that there is
room for both.

In fact, we run both: IPS out at the edge near the firewall
(don't have any of those fancy UTM firewalls ourselves :-(),
and IDS closer to the things I "care" about.

So I'm in total agreement with you. Sorry if I wrote poorly
and didn't make that clear.

jms


--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms@xxxxxxxxx http://www.opus1.com/jms

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: IPS in the Enterprise UTM Firewall testing results
    ... I configured them as I believe a sane IPS manager would do. ... I am fairly opposed to putting an IDS inside your firewall---I think that this is asking for trouble performance-wise---but certainly there are very different catch rates when you configure the devices as an IDS. ... My conclusion is that GENERALLY you will not want to use a UTM firewall as an IDS, because of performance and because of the specific design. ... I think you're stating the obvious here, but I will point out one important issue: we specifically asked for 1Gbit boxes, and not faster than that. ...
    (Focus-IDS)
  • RE: Recent Gartner IDS/IPS report
    ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
    (Focus-IDS)
  • RE: Recent Gartner IDS/IPS report
    ... despite what Gartner states) there is no single solution for IDS or IPS (or a ... We use a suite of tools that includes both and a firewall. ... system and it continued to stay compromised because the firewall or an IPS did ... Point being...everyone knows how to have good physical security, ...
    (Focus-IDS)
  • Re: Changes in IDS Companies?
    ... Well...Netscreen didn't *build* a NIPS, ... while everyone gets all excited about the possibility of inline IDS, ... IPS is not a performance bottleneck. ... Firewall & IDS vendors ally/acquire partners on the other side, ...
    (Focus-IDS)
  • RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
    ... Cisco IPS is not simply an inline IDS. ... zero-day, or zero-hour, worm protection all by itself. ... of a firewall product, like network address translation and VPN. ... Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor ...
    (Focus-IDS)
Quantcast