Jeremy Bennett wrote: > So, why do you consider it so far fetched that I might configure an IPS > not on a signature-by-signature basis but an application, resource, and > risk basis?
Application and resource I can understand. Risk basis defies me. Activating or deactivating signatures "by application and resource" is something easy to do, I'd say it's a matter of putting some buttons on the UI. On the other hand the risk decisions, and their elements, are far too complex to handle algorithmically. > 1. A vendor you can trust to reliably deliver signatures and rate them > by risk and chance of false positive. You cannot rate risk for a signature. I'd also contend that you cannot really define the chances of false positives (if it has known false positives it shouldn't be there, actually... and if it is a "generic signature" then it shouldn't probably be there, either). > 2. A product UI that would allow signatures to be applied on a resource > and application basis. For example, block everything suspicious to my > web far except for web traffic. Something like "allow only ports 80 and 443 to my web server" ? Don't they usually teach that in network security 101 ? :) > For web traffic block anything with a > very low rate of false positive and alert on anything with a medium and > log for anything with a high chance of FP. Excellent, except that the concept of something with a high rate of FPs and the concept of an IPS are at odds with each other. > There are many customers that will never have that expertise. Then those customers need a good MSSP, and not to worry about technical details. -- Cordiali saluti, Ing. Stefano Zanero, PhD CTO & Co-Founder Secure Network S.r.l. Via Venezia, 23 - 20099 Sesto San Giovanni (MI) Phone: +39 02.24126788 Fax: +39 02.24126789 email: [email protected] web: www.securenetwork.it
