RE: Changes in IDS Companies?

["Mills, Alvin R." <Alvin.Mills () TTUHSC EDU>]

Just by putting an IDS inline doesn't make it a IPS. There are products such
TippingPoint's Unity One and most recently NetScreen's IDP that can/will
block traffic if you want them to. These are pretty beefy boxes that can
handle the throughput on most backbones.

Alvin


-----Original Message-----
From: Proxy Administrator [mailto:proxyadmin () rediffmail com] 
Sent: Thursday, October 31, 2002 10:31 AM
To: Ramesh Gupta; focus-ids () securityfocus com
Cc: kjmjones () yahoo com
Subject: Re: Changes in IDS Companies?

Hi,

I read a lot of messages which say putting an IDS inline would 
convert it into an Intrusion Prevention System or something to 
that effect. This would be true to a certain extent. Putting it 
inline would make sure that you see all the packets, so you 
wouldn't miss any attack that it *could* detect. Basically, the 
solution that is being propagated here is an IDS which is going to 
take action by resetting connections, blocking IP addresses etc. 
Still not an actual IPS.
I would think that something like "systrace" qualifies as an 
Intrusion Prevention solution more than an inline IDS. We set 
rules as to how a privileged process is supposed to behave and 
anything out of the ordinary would not be allowed. That seems more 
like Intrusion Prevention than the other solutions, which are 
detecting intrusions and dropping connections.
While "systrace" would in my opinion qualify as a host-based 
intrusion prevention system, something similar would be needed to 
qualify as NIPS.

Regards,

Proxy Administrator