IDS mailing list archives
RE: Changes in IDS Companies?
From: "Mills, Alvin R." <Alvin.Mills () TTUHSC EDU>
Date: Thu, 31 Oct 2002 15:44:35 -0600
Just by putting an IDS inline doesn't make it a IPS. There are products such TippingPoint's Unity One and most recently NetScreen's IDP that can/will block traffic if you want them to. These are pretty beefy boxes that can handle the throughput on most backbones. Alvin -----Original Message----- From: Proxy Administrator [mailto:proxyadmin () rediffmail com] Sent: Thursday, October 31, 2002 10:31 AM To: Ramesh Gupta; focus-ids () securityfocus com Cc: kjmjones () yahoo com Subject: Re: Changes in IDS Companies? Hi, I read a lot of messages which say putting an IDS inline would convert it into an Intrusion Prevention System or something to that effect. This would be true to a certain extent. Putting it inline would make sure that you see all the packets, so you wouldn't miss any attack that it *could* detect. Basically, the solution that is being propagated here is an IDS which is going to take action by resetting connections, blocking IP addresses etc. Still not an actual IPS. I would think that something like "systrace" qualifies as an Intrusion Prevention solution more than an inline IDS. We set rules as to how a privileged process is supposed to behave and anything out of the ordinary would not be allowed. That seems more like Intrusion Prevention than the other solutions, which are detecting intrusions and dropping connections. While "systrace" would in my opinion qualify as a host-based intrusion prevention system, something similar would be needed to qualify as NIPS. Regards, Proxy Administrator
Current thread:
- Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)
- Re: Changes in IDS Companies? Matt Harris (Oct 31)
- Re: Changes in IDS Companies? J. Foobar (Oct 31)
- Re: Changes in IDS Companies? Martin Roesch (Oct 31)