IDS mailing list archives
Re: Re: Changes in IDS Companies?
From: "Proxy Administrator" <proxyadmin () rediffmail com>
Date: 1 Nov 2002 11:30:58 -0000
Hi,Maybe I was not able to express myself clearly. I was not picking on the terminology, I was trying to say that an inline NIDS cannot become a NIPS. Let's consider systrace. It does not "detect" intrusions as such, but it does go a long way in preventing intrusions. This would make it different from other host IDS (or IPS), which detect intrusions and by virtue of being inline (system call wrappers, etc) are able to prevent intrusions. Hope I was clearer this time around, but I'm not sure if I could convey what I wanted to say ;-) I am just concerned that we might be passing an IDS off as an IPS.
Regards, Proxy Administrator On Fri, 01 Nov 2002 Shaiful wrote :
Hi all, If systrace is like HIPS, so hogwash and the gangs are really NIPS. If you have a modified IDS or hogwash in-line it is basically a forwarding device with two network cards. You don't have to sent RST since you can drop packets in between the cards. IMHO, any firewall can easily be converted to NIPS since you passed all the packets and it is up to you to decide whether your rules based on IP header alone or the packet content as well. Take for example, the Drawbridge packet filter from TAMU which is open source and already available for a few years. Nobody bothers to write the extension for the application filtering until recently the pf author adopted the Drawbridge idea to built the new generation firewall for OpenBSD. IMHO, if we keep arguing about the terminology, we will never really benefit the security community. Since everybody seems to agree IPS is good security technology why not concentrate to make it more robust and reliable technology with faster performance. We already have problem with NIDS performance and I presume we will have more performance problems with NIPS. My two cents, Regards, Shaiful Hashim Universiti Putra Malaysia --- Proxy Administrator <proxyadmin () rediffmail com> wrote: > Hi, > > I read a lot of messages which say putting an IDS > inline would > convert it into an Intrusion Prevention System or > something to > that effect. This would be true to a certain extent. > Putting it > inline would make sure that you see all the packets, > so you > wouldn't miss any attack that it *could* detect. > Basically, the > solution that is being propagated here is an IDS > which is going to > take action by resetting connections, blocking IP > addresses etc. > Still not an actual IPS. > I would think that something like "systrace" > qualifies as an > Intrusion Prevention solution more than an inline > IDS. We set > rules as to how a privileged process is supposed to > behave and > anything out of the ordinary would not be allowed. > That seems more > like Intrusion Prevention than the other solutions, > which are > detecting intrusions and dropping connections. > While "systrace" would in my opinion qualify as a > host-based > intrusion prevention system, something similar would > be needed to > qualify as NIPS. > > Regards, > > Proxy Administrator > > __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/
Current thread:
- RE: Changes in IDS Companies? Kohlenberg, Toby (Nov 02)
- RE: Changes in IDS Companies? Kevin Timm (Nov 04)
- <Possible follow-ups>
- RE: Changes in IDS Companies? Frank Knobbe (Nov 02)
- Re: Re: Changes in IDS Companies? Proxy Administrator (Nov 02)
- Re: Re: Changes in IDS Companies? Proxy Administrator (Nov 09)
- Re: Re: Changes in IDS Companies? Aaron Turner (Nov 11)
- Re: Changes in IDS Companies? Andrew Plato (Nov 11)
- RE: Changes in IDS Companies? Kohlenberg, Toby (Nov 13)
- IDS for DataBase Systems. Hemant Ramnani (Nov 13)
- Re: Changes in IDS Companies? Gary Golomb (Nov 13)
- Re: Changes in IDS Companies? Dominique Brezinski (Nov 13)