RE: Top IPS vendors - please read for invitation to Network World review.

["Bob Walder" <bwalder () spamcop net>]

That is exactly what an IPS product should NOT consist of. 

And that is where *I* believe there is room for a distinction - not just
a marketing one - between IDS and IPS.

A true IPS product (true in the sense that is complies with the
requirements to belong to this new little sub-group of security products
which may have been defined by techies or may have been defined by
marketing guys but who really cares? See where I am coming from on this?
Who cares? As long as it does the job....) will work in-line and drop
packets/connections immediately the suspicious traffic is detected (with
some additional intelligence to take care of things like SMTP servers
retrying forever, which was mentioned earlier in these threads - they
are not THAT stupid!)

TCP Resets and ICMP Unreachable packets and reconfiguring firewalls do
*NOT* contribute IPS IMHO - they are the best stab that a passive IDS
device can make at mitigating potential damage.

Regards,

Bob Walder
The NSS Group

www.nss.co.uk





> > -----Original Message-----
> > From: Mark Teicher [mailto:mht3 () earthlink net] 
> > Sent: 28 August 2003 07:40
> > To: Zach Forsyth; Paul Schmehl; focus-ids () securityfocus com; 
> > seth.knox () sygate com
> > Subject: RE: Top IPS vendors - please read for invitation to 
> > Network World review.
> >
> >
> > Zach,
> >
> > You are exactly correct, PREVENTION is key to the 
> > technology, most IPS 
> > products that are available today have an underlying IDS 
> > piece with some 
> > basic PREVENTION functionality (i.e. TCP SNIPE, TCP RESET), 
> > but not enough 
> > PREVENTION to fully analyze the transaction. IPS are not 
> > easily applicable 
> > to SAP based applications..
> >
> > /mark
> >
> > At 10:36 PM 8/27/2003, Zach Forsyth wrote:
> >
> > > > -----Original Message-----
> > > > From: Mark Teicher [mailto:mht3 () earthlink net]
> > > > Sent: Wednesday, 27 August 2003 22:30 PM
> > > > To: Paul Schmehl; focus-ids () securityfocus com; 
> > seth.knox () sygate com
> > > > Subject: Re: Top IPS vendors - please read for invitation 
> > to Network
> > > World review.
> > > > The real question I have is what defines an IPS product versus an 
> > > > IDS..
> > > IDS
> > > > is obvious, but IPS, it is a very tough definition
> > >
> > > Intrusion DETECTION system
> > >
> > > Intrusion PREVENTION system
> > >
> > > Seems fairly fundamental to me...I think I know what you 
> > are trying to 
> > > say though, keep referring back to the word prevention :)
> >
> >
> > -------------------------------------------------------------
> > --------------
> > Attend Black Hat Briefings & Training Federal, September 
> > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
> > VA; the world’s premier 
> > technical IT security event.  Modeled after the famous Black 
> > Hat event in 
> > Las Vegas! 6 tracks, 12 training sessions, top speakers and 
> > sponsors.  
> > Symanetc is the Diamond sponsor.  Early-bird registration 
> > ends September 6 Visit: www.blackhat.com
> > -------------------------------------------------------------
> > --------------



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------