Re: Re: Changes in IDS Companies?

["Proxy Administrator" <proxyadmin () rediffmail com>]

Hi,

Maybe I was not able to express myself clearly. I was not picking 
on the terminology, I was trying to say that an inline NIDS cannot 
become a NIPS.
Let's consider systrace. It does not "detect" intrusions as such, 
but it does go a long way in preventing intrusions. This would 
make it different from other host IDS (or IPS), which detect 
intrusions and by virtue of being inline (system call wrappers, 
etc) are able to prevent intrusions. Hope I was clearer this time 
around, but I'm not sure if I could convey what I wanted to say 
;-)
I am just concerned that we might be passing an IDS off as an 
IPS.

Regards,

Proxy Administrator

On Fri, 01 Nov 2002 Shaiful wrote :
> Hi all,
>
> If systrace is like HIPS, so hogwash and the gangs are
> really NIPS. If you have a modified IDS or hogwash
> in-line it is basically a forwarding device with two
> network cards. You don't have to sent RST since you
> can drop packets in between the cards. IMHO, any
> firewall can easily be converted to NIPS since you
> passed all the packets and it is up to you to decide
> whether your rules based on IP header alone or the
> packet content as well. Take for example, the
> Drawbridge packet filter from TAMU which is open
> source and already available for a few years.  Nobody
> bothers to write the extension for the application
> filtering until recently the pf author adopted the
> Drawbridge idea to built the new generation firewall
> for OpenBSD.
>
> IMHO, if we keep arguing about the terminology, we
> will never really benefit the security community.
> Since everybody seems to agree IPS is good security
> technology why not concentrate to make it more robust
> and reliable technology with faster performance.  We
> already have problem with NIDS performance and I
> presume we will have more performance problems with
> NIPS.
>
> My two cents,
>
> Regards,
> Shaiful Hashim
> Universiti Putra Malaysia
>
> --- Proxy Administrator <proxyadmin () rediffmail com>
> wrote:
> > Hi,
> >
> > I read a lot of messages which say putting an IDS
> > inline would
> > convert it into an Intrusion Prevention System or
> > something to
> > that effect. This would be true to a certain extent.
> > Putting it
> > inline would make sure that you see all the packets,
> > so you
> > wouldn't miss any attack that it *could* detect.
> > Basically, the
> > solution that is being propagated here is an IDS
> > which is going to
> > take action by resetting connections, blocking IP
> > addresses etc.
> > Still not an actual IPS.
> > I would think that something like "systrace"
> > qualifies as an
> > Intrusion Prevention solution more than an inline
> > IDS. We set
> > rules as to how a privileged process is supposed to
> > behave and
> > anything out of the ordinary would not be allowed.
> > That seems more
> > like Intrusion Prevention than the other solutions,
> > which are
> > detecting intrusions and dropping connections.
> > While "systrace" would in my opinion qualify as a
> > host-based
> > intrusion prevention system, something similar would
> > be needed to
> > qualify as NIPS.
> >
> > Regards,
> >
> > Proxy Administrator
> >
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/