On Wed, 28 Sep 2005 [EMAIL PROTECTED] wrote: In a nutshell I would go with Sentivist. http://www.nfr.com/solutions/download/HotPick-IPS-Review.pdf
For brief summaries of some other products: http://www.networkintrusion.co.uk/inline.htm > All depends on the inbound packet rate, how fast the IDS is, and how > much RAM you're willing to buy. Just remember that a sufficiently long > queue is in itself a denial of service... ;) A possible even worse threat is an out of sync admin :O > Just remember to configure the thing sensibly - it's amazing how many > people manage to shoot themselves in the foot, and find out the hard way > that yes, Virginia, there ARE people out there that will forge packets > with the source IP address of the victim's nameserver... ;) Many IPS' whether it's a HIP or NIP have (or at least should have) capabilities of assessing "0-day" threats and generating rules off of them. Even for those *PS products that do, those same "out of sync" admins will get lost in the sauce no matter what they buy. Personally I think it becomes the job of the admin to assess threats and stay in tune with what's going on in the industry. Keep up to date with any new threats and step it up from there. "THAT" however becomes a bump in the road since too many admins are lazy. > It's *very* important to talk about definitions - there's waaay too many > people who buy an IDS and think that by hooking it to the net, it > magically becomes an IPS. Way too many people also have become accustomed to dropping dollars on the table of INSERT_CORP_HERE thinking they can buy an all inclusive security solution only to find that it failed. > An equally great number buy some IPS or other, and find out the hard way > that they don't block a 0-day or a new worm..... I'd say from my own experience that someone WITH experience can craft their own IPS of an IDS and call it a day saving money for their company and possibly creating something equal if not better to some products. On my little network at work I've managed to substitute many products and appliances for what's freely available on the open source scene with some carefull thought out and diagrammed programs that I audit pretty much daily. There's nothing better for me to be able to modify something too my needs then it is to sit and wait until vendor_x's next release because they didn't implement something. It's also better for me to be able to add a line or two based on some thread of a new attack as opposed to sitting around and waiting for vendor_x to verify if something is a threat or not. While I do agree with the statement made "Quite frankly, anybody who already has a PIX installed and wants to install an IPS needs to quantify *exactly* what protection the PIX is failing to provide before they go shopping for anything" to a degree, I also disagree with that statement since it eludes to the thinking that solely a PIX will save your ass. It won't, nor will any other firewall, nor will any other product combined with any OTHER product and so on. /* REDUNDANT COMMENT */ "You are the weakest link..." People fail miserably. Products can only do what they're told but no matter how many acronymed buzzwords you want to throw around "Super Hip Intelligent Threading", it's still SHIT unless you have the ability do use your own common sense, experience knowledge, etc. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 "Just one more time for the sake of sanity tell me why explain the gravity that drove you to this..." Assemblage _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/