A very fun intrusion prevention debate!
by Anton Chuvakin
For those in the security industry watching the IDS vs IPS debate (and, I guess, that is pretty much everybody), this article will be a very fun and insightful read. Marc Willebeek-LeMair (3Com/TippingPoint) and Martin Roesch (Snort/Sourcefire) debate the role and value of a modern network IPS.
The presented debate gets emotional at times :-) and it is very tempting to choose a side. I will side with Mr Snort on this one: IPS is a great thing, but overselling it as a comprehensive security solution to prevent all threats in a proactive manner (especially at a cost of security-minded infrastructure design) is a bit too much for me...
IPS is another name for a firewall
The gentleman from TippingPoint seems to believe that firewalls are only at the perimeter, not deep inside the network, and *that's* being misinformed. Large networks are frequently segmented by firewalls, much like a submarine can close off sections in event of a hull breach.
|I have attended a couple of Sourcefire dog&pony shows, and that IS a kool-aid stain on my shirt. I think IPS has some points in its favor, but it is absolutely NOT a comprehensive solution. To call on Bruce Schnier, Tipping Point is a product, not a process... Sourcefire really comes close to productizing the process of security, at least in the marketing materials. It is inarguable (to me, anyway) that intrusion prevention should take place not just at the point and moment of attack, but before when vulnerable hosts are communicating on the network. And after when they've been 0wn3d but when you can still mitigate. That's a much more complete view of the problem domain, and so far only Sourcefire seems to get it.|