The title of the discussion is IDS vs. IPS deployment feedback. Both IDS and IPS are not stronger nor weaker than the rules that controls them. As far as I know you could run the same type of rules (signature and/or anomali based) on an IDS as on an IPS. Thus an IDS could detect any network or host activity as well as an IPS could.
The main difference is in what you do with the information. I rather have an experienced analyst implementing the security policy rather than a machine. Most of the IDS has implemented ways to stop traffic through the firewall. AFAIK it hasn't been much used because it opens up a considerable DoS vulnerablility. If I know what rules shut down connections, I can craft packets that shuts down valid connections. If installed correctly, an IDS is an network/host recording device that is very resistant to evidence manipulation. More so at least than an IPS that must be installed inline. Firewalls and IPS has the same characteristics in that if either one stops working, traffic goes down as well. So by installing an IPS you have two devices that can stop your connection. By using an IDS you only have one device (the firewall) that can shut down your network. >This is like saying, "by buying a car, you open >yourself up to an auto >accident." Well, sure. There is risk in >everything. Its absurd to think >that just because something has risk, its >useless. I would rather buy a cheap car that I can steer myself than trusting an expensive car running on autopilot :) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
