01-11-2011 05:40 AM
Hello Luc,
I understand your dilemma in the fullest being in the area of implementing traditional IPS systems for the last 6 years with different vendors like Tipping Point, McAfee, IBM/ISS just to name a few.
The real pain with an IPS/IDS is to sort out false positives and this is not only a one time process. In order to operate an intrusion prevention system it is mandatory to have a continous IPS policy tuning process in place, otherwise such a system is worthless.
In my opinion an ideal IPS has the ability to import information from a Vulnerability Management System like Qualys for example. The VMS scans systems for known vulnerabilities and other details like operating system, security patch level etc. and reports its findings back to the IPS. Then the IPS could correlate its attack data against the vulnerability information from the threat log for example. This way you would not see any more log entries for an attack against a vuln. for IIS just to find out that the reported destination address (victim) is an apache... Or you see threat log entries for a sendmail vuln. and you have an Exchange Server in place ...
I know that Sourcefire for example has partnered with Qualys for this reason. Also McAfee has its own IPS and a product called Foundstone for the vulnerability scanning and correlation.
I really would like to see such an approach from PAN, this would be very exciting. I know Qualys for example would be more than happy to look at this together with PAN.
I kown this is something for a long term wishlist, but I don't stop dreaming 😉
rgds
Roland
