But there's no overstating the usefulness of a properly-tuned IPS for attack prevention
I've never heard a plausible anecdote, much less seen meaningful statistics, of these devices actually 'preventing' anything.
I think it depends upon where you put them, and whether or not you have skilled people involved. Given good placement, and experienced management, I have seen the usefulness of these devices ... by personally reviewing the logs and being the recipient of drop alerts of the devices in terms of what they can reject.
I have, however, run into many, many situations in which these devices demonstrably degraded the security posture of network operators, particularly when placed in front of servers or broadband access networks. For example, they're laughably easy to DDoS due to state exhaustion -
which
is what is the main point of the presentation you reference.
Sometimes we get in to corner cases too easily where the negative is easily applied. Yes, they can be DDoS'd. Yes they can be useless in the hands of the unskilled and unknowing. On the other hand, given good placement in strategic places, and maintained appropriately, they can live up the their expectations.
And the fact that well-known evasion techniques still work against these devices today, coupled with the undeniable proliferation of compromised hosts residing within networks supposedly 'protected' by these devices, militates against your proposition.
Well.... again, yes, they may not get all zero-day exploits. That is another corner case. But they can certainly prevent getting hit by the same old stuff over and over again. I've seen drop rules for the Bash issue, and the openssl issue put in place, and when implemented, prevent the further spread of the malicious payloads. There must some sort of value in that? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.