IDS mailing list archives
RE: Top IPS vendors - please read for invitation to Network World review.
From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 29 Aug 2003 11:14:26 +0200
That is exactly what an IPS product should NOT consist of. And that is where *I* believe there is room for a distinction - not just a marketing one - between IDS and IPS. A true IPS product (true in the sense that is complies with the requirements to belong to this new little sub-group of security products which may have been defined by techies or may have been defined by marketing guys but who really cares? See where I am coming from on this? Who cares? As long as it does the job....) will work in-line and drop packets/connections immediately the suspicious traffic is detected (with some additional intelligence to take care of things like SMTP servers retrying forever, which was mentioned earlier in these threads - they are not THAT stupid!) TCP Resets and ICMP Unreachable packets and reconfiguring firewalls do *NOT* contribute IPS IMHO - they are the best stab that a passive IDS device can make at mitigating potential damage. Regards, Bob Walder The NSS Group www.nss.co.uk
-----Original Message----- From: Mark Teicher [mailto:mht3 () earthlink net] Sent: 28 August 2003 07:40 To: Zach Forsyth; Paul Schmehl; focus-ids () securityfocus com; seth.knox () sygate com Subject: RE: Top IPS vendors - please read for invitation to Network World review. Zach, You are exactly correct, PREVENTION is key to the technology, most IPS products that are available today have an underlying IDS piece with some basic PREVENTION functionality (i.e. TCP SNIPE, TCP RESET), but not enough PREVENTION to fully analyze the transaction. IPS are not easily applicable to SAP based applications.. /mark At 10:36 PM 8/27/2003, Zach Forsyth wrote:-----Original Message----- From: Mark Teicher [mailto:mht3 () earthlink net] Sent: Wednesday, 27 August 2003 22:30 PM To: Paul Schmehl; focus-ids () securityfocus com;seth.knox () sygate comSubject: Re: Top IPS vendors - please read for invitationto NetworkWorld review.The real question I have is what defines an IPS product versus an IDS..IDSis obvious, but IPS, it is a very tough definitionIntrusion DETECTION system Intrusion PREVENTION system Seems fairly fundamental to me...I think I know what youare trying tosay though, keep referring back to the word prevention :)------------------------------------------------------------- -------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- RE: Top IPS vendors - please read for invitation to Network World review. Mark Teicher (Aug 28)
- <Possible follow-ups>
- RE: Top IPS vendors - please read for invitation to Network World review. Bob Walder (Aug 29)