When looking for a decent IPS/IDS/NBAD solution, I would suggest sorting it into the following highlights, or main features if I may:
1. Staying up to date on the known vulnerability database.
2. Having a zero-day implementation and detection system (NBAD or similiar).
3. Filtering out false positives, yet not the real attacks.
4. Having a decent reporting utility to keep track of changes that are needed on the local infrastructure to adapt as the threats arise from different portions of the network.
5. A specific down to detail interface where you can define what machines can be blocked as a result of a threat, and which should only be notified.
Now, after these main issues have been solved, one can start adding additional features to the solution, and may even consider self-defending networks or similiar.
But all in all - with a link to firewalls and or with IPS functionality with switches, having the ability to define what's network critical and should never be blocked, and what's not is not just a good idea, it could save you a few phone calls asking where the domain controller went.
Slashdot Mirror
It's because of Beastie!
:-)
That's my story and I'm sticking with it.
When looking for a decent IPS/IDS/NBAD solution, I would suggest sorting it into the following highlights, or main features if I may:
Now, after these main issues have been solved, one can start adding additional features to the solution, and may even consider self-defending networks or similiar.
But all in all - with a link to firewalls and or with IPS functionality with switches, having the ability to define what's network critical and should never be blocked, and what's not is not just a good idea, it could save you a few phone calls asking where the domain controller went.
My two cents.