Re: Corporate H/N IPS

[Crispin Cowan <crispin () wirex com>]

Talisker wrote:

> Intrusion Prevention System (IPS).     More proactive than the traditional
> IDS, they actively block traffic deemed as malicious, almost like a firewall
> but using IDS techniques to block an attack.
EXACTLY like a firewall, only they look at higher level aplication 
protocols than classic packet filtering firewalls. I.e. they are exactly 
like the older application proxy firewalls.

> Host IPS.     A HIPS will block an attack aimed at the Host upon which it is
> situated, previous names for a HIPS have included Network Node IDS (NNIDS)
> or personal firewall.  To quote nss
> "It binds closely with the operating system kernel and services, monitoring
> and intercepting system calls to the kernel or APIs in order to prevent
> attacks".
Exactly like secure operating systems, or security-enhanced operating 
systems. Again, there is nothing fundamentally new here, just that the 
techniques have advanced. The technology has improved to provide faster, 
finer-grained intrusion prevention (such as Type Enforcement access 
control, and StackGuard and FormatGuard compiled-in defenses). 
Unfortunately, marketeers are pushing new buzz-words, trying to convince 
people that "host intrusion prevention" is some how different from 
secure operating systems.

> A HIPS should not to be confused with a HIDS which looks at the host Event
> or Sys logs, though many HIPS incorporate HIDS and File Integrity Checking.
> examples of HIPS are: Entercept and Intrusion's SHS (Stormwatch)
True: "intrusion detection" is what you call it when your detector is so 
slow or imprecise that it cannot be used for prevention.

> Network IPS.       What used to be called an inline IDS, it's an IDS with 2
> interfaces, it will block those packets that trigger the criteria laid down
> by the IDS. examples TippingPoint UnityOne and RealSecure Guard
What used to be called a proxy firewall, such as the Firewall Toolkit, 
or the Raptor firewall.

> I'm looking for a good starting place and therefore looking for lists
> containing HIPS and NIPS to start me off on the research, in return I will
> collate all the information and feed a summary back into the list.
Please include the Immunix Secure OS, which is a linux system protected 
with an arsenal of intrusion prevention systems.

Also please consider deprecating the term "intrusion prvention" as 
marketing hype. NIPS ::= firewall, and HIPS ::= secure OS.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                            Just say ".Nyet"

Attachment: _bin
Description: