Wednesday, April 16, 2003

IPS vs IDS

Articles like Intrusion prevention: IDS' 800-pound gorilla make me sick. Quotes like this demonstrate the ignorance of the speaker:


Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents. It doesn't seem much of a stretch to have systems "flip a switch instead of alerting" when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security.


Argh! Thankfully the same article shows some people still understand this issue:


Other companies, however, see their intrusion-prevention products as usurping IDS. Martin Roesch, cofounder and CTO of Columbia, Md.-based Sourcefire, which sells the commercial version of the open-source intrusion-detection system Snort, rejects such a suggestion. "Anyone who tries to sell you an intrusion-prevention system at the expense of an intrusion-detection system doesn't understand the problem stack," he said. "Intrusion prevention is access control. Intrusion detection is monitoring."
Sourcefire will probably play in the intrusion-prevention space at some point. "We see value in having an access control role on the network as well as a network-monitoring role, because it allows us to leverage the information to enhance monitoring and protection," Roesch said. "You can't have one without the other."

No comments: