IDS vs IPS

Dominic White

 

IDS vs IPS

I recently ran into this debate at a client, and even though I had a fairly good understanding of this issue, the thoughts only struck me with clarity today. This will be fairly obvious to many people, but unfortunately, not all. Hopefully Google will help broadcast my purported clarity.

If even faced with the question; "Shall we purchase and IDS or an IPS." The first step is to make it clear that this isn't a dichotomy. Next, (depending on the network) the second step should be to say "Buy an IPS", and the only real decision will be which one (Sourcefire, TippingPoint etc.) and where to put it/them. The third step is to sit down and work out if they could benefit from an IDS.

The essential difference, is that an IPS will provide an incremental improvement in network security (ala Defense in Depth) and should be though of much like AV. It will block the obvious attacks when they happen and you don't need to give it much care and feeding.

An IDS on the other hand should be thought of as active network monitoring of the sort Bet espouses with his theories on extrusion detection. This has benefits outside of security, such as identifying mis-configured servers, wayward laptops etc. Ideally, all organisations should have this in place, but realistically some organisations may need to get to some of the basics first before an IDS will be able to provide much useful information. For example, I've seen some flat networks out there.

Monday, October 1. 2007
Posted by Dominic White in Security
Comments (0) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment