Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Experts say IDS here to stay after all - really???

3 comments

IT TOPICS:Security

So IDS isn't dead?? Uhhh, a big DUH is appropriate here. I'm not trying to poke fun at the author of the story, but this has been known for a while now. I'm glad to see it so blatantly stated in a reputable web publication, but this is not a new story.

I used IDS in my last job, even with an IPS in my network. The reason being is because the IPS is almost always an inline device. It is an ingress / egress device that blocks traffic. It gives you no real visibility to what is going on in your network. To get an eye on what is bouncing around in your core or distribution layers, you need something looking at the traffic via a span port. Just like the article says:

IDS products will probably remain as separate devices because of the need to monitor happenings on a network and monitor actions of other policy enforcement points.

Richard Bejtlich says:

What's an "IPS" anyway? It's a filtering device, aka "firewall." What's an "IDS"? It's an attack or incident indication system. The two functions are completely different and should be separate.

The article also states that IPS is being rolled up into the firewall while the IDS will likely still have relevance as a stand alone product for a while. Yes, the IPS is being rolled up in the firewall to a high degree. But it still has some life as a stand alone product as well. It really depends on the situation. I am writing a post now over at my personal blog so I can include some drawings and more explanation.

Email this

Digg this

What People Are Saying

Add new comment

OK, not sure about the first

Submitted by Michael R. Farnum on August 24, 2007 - 1:34 P.M.

OK, not sure about the first comment, so I will leave that one alone.

On to Alan's comment.

Alan, I think visibility is a very good thing to have in your network, even if you are having to act reactively to it. Proactive is definitely preferable, but with most IPS deployments being inline, you cannot see what is happening inside your network. You can only see what is going in and out of your network.

Basically, if I do not have the infrastructure in place to react, why would I choose to ignore it? I still want to know it is happening. Thinking that data is useless is ridiculous.

Again, I think automation is preferable, just as you say in your post. But I don't think everyone is at a point to have that, even in the next 5 years. From a realistic POV, I see people WANTING stuff every day, but when I give 'em a price tag, they yak all over the place. So as long as those people can buy an IDS and throw it on a span port and get some info as to what is going on in their network, then manufacturers will build the IDS.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

Michael- I agree with

Submitted by alan shimel on August 24, 2007 - 12:02 A.M.

Michael- I agree with Richard Stiennon on this one. What good is the visibility if you can't do anything about it? I think IDS attack detection is just an element of intrusion prevention. I think both however have a limited exposure as stand alone technologies. They are rapidly being rolled up into newer security technologies (UTM, NAC, etc.). I have written more about this and the Brenner article you talk about on my blog here.

Reply | Report this comment

Who uses IPS anymore?

Submitted by Anonymous on August 23, 2007 - 11:33 P.M.

Who uses IPS anymore? Personally I use the more up to date UPS. It's also an in-line device--but, with batteries included!

IDS has been supplanted by IP not the other IP, which of course is copyrighted. But real IP. ISDN is cute, too. Although not as copyrightable.

My fav is ANTWERP! Which of course is a city in Europe. The NYPD ain't all that bad either. Vista still sucks, though. Sucks so bad, it gives NASA somewhere to be ON ORBIT.

BTW, while we're doing acronyms what's a DUH? Especially a big DUH?

Reply | Report this comment

Google Dashboard: Convenient, useful, but no big deal

Web filtering internationally, part 1: China

The fobbit

Unlock/jailbreak new iPhone 3G software with #blackra1n app

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts