A very fun intrusion prevention debate!

by Anton Chuvakin

Related link: http://www.infoworld.com/article/05/05/09/19FEipsids_1.html

For those in the security industry watching the IDS vs IPS debate (and, I guess, that is pretty much everybody), this article will be a very fun and insightful read. Marc Willebeek-LeMair (3Com/TippingPoint) and Martin Roesch (Snort/Sourcefire) debate the role and value of a modern network IPS.

The presented debate gets emotional at times :-) and it is very tempting to choose a side. I will side with Mr Snort on this one: IPS is a great thing, but overselling it as a comprehensive security solution to prevent all threats in a proactive manner (especially at a cost of security-minded infrastructure design) is a bit too much for me...


2005-05-10 13:20:55
IPS is another name for a firewall
The gentleman from TippingPoint seems to believe that firewalls are only at the perimeter, not deep inside the network, and *that's* being misinformed. Large networks are frequently segmented by firewalls, much like a submarine can close off sections in event of a hull breach.

But an IPS is just a firewall, anyway. Decisions are based on data deeper into the payload than just protocols, but it's determining whether or not to pass a packet based on information in the packet and a defined rulebase. IDS and IPS are complementary as they serve very different functions, but IPS and firewalls will continue to merge. The distinction between these two is minimal and will continue to shrink, but it's much more difficult to determine what a packet should look like (many exploits are perfectly valid packets, don't break the protocol, and instead hit the application).

2006-05-17 16:39:52
I have attended a couple of Sourcefire dog&pony shows, and that IS a kool-aid stain on my shirt. I think IPS has some points in its favor, but it is absolutely NOT a comprehensive solution. To call on Bruce Schnier, Tipping Point is a product, not a process... Sourcefire really comes close to productizing the process of security, at least in the marketing materials. It is inarguable (to me, anyway) that intrusion prevention should take place not just at the point and moment of attack, but before when vulnerable hosts are communicating on the network. And after when they've been 0wn3d but when you can still mitigate. That's a much more complete view of the problem domain, and so far only Sourcefire seems to get it.