On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin <jasonbeaud...@gmail.com> wrote: > From a compliance perspective, I don't have much choice. From the > costs, infrastructure, and administrative perspectives, I am currently > evaluating whether or not I should be leaning towards and IDS or IPS > solution, and of course which system/vendor. My understanding is that > something like snort requires a fair bit of maintenance and > IT-attention, the trade-off being cost, so I am leaning away from > this. Between detection and prevention, preventing break-ins seems a > bit sillier than trying to actively monitor what's going on and to > then look for threats, so this pushes me more towards IDS over IPS.
I agree with you. High rates of false positives, but fairly low rates of false negatives. Once the care and feeding is taken care of (turning off everything and gradually fine tuning to your current traffic helps), they're useful for alerting against unusual traffic leaving your network; not so much against automated attacks coming in the network. My own deployments are specifically to monitor for odd outbound traffic from my office. It's a rapid way to find out about the latest trojan, worm, or other infection my users have brought in on their laptops. That said, the usefulness of an IDP is specifically preventing most automated and known attacks from passing in to your network. By using one of the commercial systems, you gain support, tuning, and the fact that you don't have to spend as much time with the care and feeding or writing/testing new rulesets against your current version. As a compliance feature, I've found most administrators put them in place and promptly turn the reporting off due to the high rate of false positives reducing the signal from the noise. jb
