[Snort-users] Re: [Snort-devel] IDS vs IPS

Frank Knobbe frank at ...2134...
Tue Sep 2 05:43:43 EDT 2003

I'll cut down to gist of it...

On Sun, 2003-08-31 at 10:32, Mark Teicher wrote:
> Jeff said:
> As it relates to computer networks, IPS would have to be gateway intrusion 
> detection (aka in-line intrusion detection).  Indeed, if a firewall vendor 
> thinks they're moving into this space I'd love to hear about their design 
> and implementation.  Also, if a company is moving into this space 
> exclusively I'd love to hear about their technology.
> Mark said:
>  Another inline device.  Jeff, Are you stating that an enterprise 
> organization should trust an IPS vendor by allowing to put their 
> hardware/software inline with their network connectivity, be it external or 
> internal??

I think this is a good example for the reason this discussion is going
nowhere. We should be debating what an IPS is from a technical
perspective. Instead we argue if they are good or bad, and how good, how
bad. We should leave personal opinion and qualitative statements out of
the discussion and focus on the definition.

Now we all agree that certain implementations are flawed while others
show promise. We understand that putting too much faith into a product
that sits inline, is a choke point, may not be a good idea. Other may
argue that firewalls do that so it's okay. Let's not get hung up on
those issues. Let's get back to the definition.

We also acknowledge that Intrusion Prevention System is mostly a
marketing term. Before the Prevention buzz word was thrown in, these
things were called Gateway IDS for lack of a better word. Today
Intrusion Prevention Systems include a wider variety than just GIDS.
HIPS comes to mind, so I guess we would have to disect what a HIPS (Host
IPS) is and what qualifies to deserve that name.

Theoretically *any* countermeasure could be called a Prevention system.
A hardened OS prevents intrusions. Are the Bastille scripts an IPS? Is
SecureIIS or similar wrappers an IPS?

Perhaps by discussion this down the right path we can show reasonably
well that the term is flawed, and perhaps through a collaborative paper
on the term of IPS we can convince the users/admins/buyers as well as
the vendors/market/industry to abandon use of that name...... Yeah, a
pipe dream.... but worth trying? If not, we don't even need to argue
here. Let's give our discussion a purpose or let it die.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030902/beea80ae/attachment.sig>

More information about the Snort-devel mailing list