Security Related

Guy Mizrahi about Security and Technology.


June 25, 2010 By: Guy Mizrahi Category: Security, Technology, Uncategorized No Comments →

Couple of days ago, during a lesson (There is a course in Israel called CISO and I am one of the Instructors) I talked about IDS and IPS systems.

For those of you who are not familiar with the systems:

IDS stands for Intrusion detection System and IPS stands for Intrusion Prevention System.

As you can understand from the name of the devices, they are very close one to each other.

In many cases when I does my consulting work I see an IPS device in an organizations and when I ask why did they choose and IPS system over IDS system there is no answer.

When you try to look closely you can see that the main instruction was to alert when there is an intrusion. There is no need to take action, just to alert so why would you choose an IPS over IDS? when you try to look even closer you can see that this was the recommendation from the previous consultant and no one said otherwise.

Is this a problem? Maybe. I’ll explain..

IPS is a Device that need to interfere with the network traffic. The ability to interfere will allow the attacker to identify that there is an IPS on the network because the attacker can identify the fact that some packets will not do what they was supposed to.

I think that the main problem with IDS is that you know that it is there.

If you do not need an active defense, you should consider an IDS.

It is not present on the network from the attacker point of view.

The monitor port where you can place IDS probe is completly silent and will not allow interference with the traffic.

From the attacker view there is nothing to worry about and from your place you can view all the alerts in your SIEM and instruct the SOC to react.

Another idea is that if the attacker knows about the IPS he can identify it and maybe will have a way to hurt the device itself. a 0-day for IPS.

So why use IPS? because there are places that need to respond when they are under attack. Some people will say it is most of the places.

All I am saying is don’t go to IPS because someone said it is better. You need to consider if you need the functionality of an active system by responding to an attack. If that is the case, IPS will be a good decision but otherwise? You need to think.

btw: I consider IPS that is not in the prevention mode as IDS for this article.

Bad Behavior has blocked 41 access attempts in the last 7 days.

FireStats icon Powered by FireStats