http://www.inetu.net/about/server-smarts-blog/february-2011/intrusion-detection-or-prevention-ids-vs-ips
The big difference is that an IDS scans a copy of your network traffic looking for signs of intrusions while an IPS is looking at the active real time traffic. These can be viewed as active (IPS) and passive (IDS) systems. Nothing is perfect, so things will get past an active system that the passive system may catch. A passive system can generally do a more thorough job digging deeper into traffic and logs than an active system, as the passive system is less time-sensitive.
https://www.sans.org/reading-room/whitepapers/detection/understanding-intrusion-detection-systems-337
Determining when and where to deploy these systems can be a source of contention. The security guys want one on every network segment and every VLAN, with a couple monitoring the core and a few thrown in to monitor the monitoring traffic. The network guys usually want one per entry point, POP, or VPN access. A compromise between security, performance, and cost has to be reached, as each unit can cost from a few hundred to several thousands of dollars, depending upon the requirements, functionality, and throughput of the unit. Each interruption of traffic also adds a hindrance to performance – Each inspection takes less than a millisecond, but add that up over your entire network for all your traffic, and it can end up being significant.
http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
No one piece of equipment or technology should comprise your entire security strategy. An IDS or IPS should be part of a layered security approach that includes network, systems, applications, and physical security. I once attended a class that spent several hours explaining how to defend against a hacker connecting directly into your fiber channel switches in the datacenter and stealing data. I kind of figured if I was able to get into a datacenter and couldn’t break into the switch, I’d just cart the entire SAN out with me to a place where I could take my time with it. The point of the story is that it will do no good to spend a lot of time securing servers from outside attack if someone could just walk in and plug into my unprotected network.
Security needs to be approached as a combination of protections, starting from the outside and working inward. Secure the doors, secure the workstations, secure the servers and the network, and so on; Otherwise, you could be locking the doors but leaving the windows open.
http://seann.herdejurgen.com/resume/samag.com/html/v08/i09/a7.htm
No comments:
Post a Comment