Forwarded from: Russell Coker <russellat_private> Gary's posting had many good points, however there is one issue that I query: > An IPS, being in-line, does not have the indulgence of being able to > be highly sensitive to everything an IDS can. Since it is making the > decision to pass or not pass traffic, it has no room for > misjudgment. As such, that places a severe limitations on its > ability to find things off-line analysis offers. In addition, > analysis is limited to what can be accomplished in fractions of a > second. There is no opportunity for *real* analysis and correlation. Why can't an IPS be configured to log certain operations instead of denying them? Surely any good security tool should have the following options: 1) Quietly deny (routine errors such as unwanted SMB broadcasts and attacks that are much too popular such as that SQL Server worm). 2) Deny and log (things that we don't want and don't expect to happen often or which we want to respond to). 3) Allow (regular traffic). 4) Allow and log (traffic that we are unsure about but are forced to permit, and traffic that is routine but which is significant for auditing). As far as I am aware all firewalls have all four options, and I would expect all IPS system to have them too. Of course some products may fall short of my expectations, but that is only a problem with the implementations in question not with the concept. Can't we think of an IPS as just an IDS with the option of blocking? Therefore if you configure the IPS for options 3 and 4 only then it will be an IDS. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 02:26:33 PDT