Closing remarks on the network IPS poll

by Anton Chuvakin

So, a while ago I did this poll on network intrusion prevention mishaps. What are the results and what do they tell us?

* Block and NOT alert you on the threat at all (45%)
* Alert but NOT block the threat (29%)
* Block and NOT tell you what specifically was blocked (18%)
* What is an intrusion prevention system? (5%)

So, as it was pretty obvious that a majority of respondent NIPS users (45%) will be pretty upset about the silent blocking - the first case above. And, the hidden motivation for this poll was actually a story relayed to me by a friend who was recently involved in a "major" NIPS evaluation for a "leading" magazine. It turns out that one of the common NIPS devices is afflicted by that very thing - silently dropping certain suspicious packets without any record in the logs. Just think "broken application troubleshooting" and be terrified about wasted hours of system/network administrator time...