IPS vs. IDS

By Ellen Messmer, NetworkWorld.com, 07/27/04

Intrusion-prevention systems are in the news, with eEye Digital Security, Symantec and NFR Security each casting a hat into the IPS ring with a range of new products.

As the number of IPS grows and products gain acceptance, the question continues to be, what's the future for passive-monitoring intrusion-detection systems? Will IDS sensors, which watch for attacks but can’t block them, be seen as obsolete, as Gartner has suggested? Is IDS "dead"?

Some think IDS will live on, even if IPS manage to gain the top spot as the equipment at the gateway or inside the network to stop computer worms, denial-of-service attacks and other attacks.

The University of North Carolina at Charlotte is testing IPS equipment from McAfee, TippingPoint and NFR Security with an eye toward deployment of selected equipment later this year. The university uses the NFR Security IDS and has begun testing NFR Security’s first IPS, which is called Sentivist.

Carter Heath, information technology security officer there, last week told me the university doesn’t plan to retire the older NFR Security IDS when it puts an IPS in place. "We want the IPS as the front-line device, but our strategy is to use IDS sensors to look at the scrubbed traffic and see if anything slips through," said Heath. That would make the IDS a check on the accuracy of the IPS since the IDS might notice something the IPS missed.

This is one reason to continue using passive-monitoring IDS even if an IPS is put in place in the network. Are there other reasons? Or is IDS a poor allocation of limited funds if an IPS is used? Let me know what you think.

Back to Security Notes

Comments

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?