IDS mailing list archives
Re: Network hardware IPS
From: Ravi Kumar <ravivsn () roc co in>
Date: Thu, 02 Oct 2003 09:57:36 +0530
Dear Alvin, If you agree snort is the best IDS ever then snort_inline is best InlineIPS.I agree that some preprocessors are not yet modified according to the need of Inline.
Regards, Ravi At 11:34 AM 10/2/03 +0800, Alvin Wong wrote:
Hi Ravi, Thanks for sharing your opinions. Do you have a particular Inline IPS to recommend or can share experiences with IPS? Regards, Alvin On Tue, 2003-09-30 at 12:54, Ravi Kumar wrote: > Hi Alvin, > Setting up a complete security with all the currently available tools > IMHO,the set up can look like this > > INTERNET------- Security Gateway device -----CORPORATE network > > Security gateway device should have > - A stateful pakcet inspection Firewall > - content filtering and Antivirus > - and above all Inline IPS. I stress it should be working in > hand with firewall > > Deploying IDS can only alert you about incoming attacks and by the time we > react the damage is > happened. To get good understanding of the entire traffic coming from > Internet, the correct tap point is > the gateway of the network. Not to miss a single packet we need > to process packets inline > That suggests us for a Inline IDS.Even though security is not completely > achieved.After we identify the attacks the correct mechanism could be > blocking them there itself. > > Take the example of snort_inline. > -Takes the packets from iptables > - uses snort to detect and > - blocks the connection by sending TCP resets. > snort_inline uses libipq to queue the packets to user space. I agree that > moving packets from user space and back to kernel space consumes lots > of processing time. The solution could be > > - Inline IPS that works in the Kernel space > Lots of Inline IDS tools that are available to public works in user > space. Hogwash, snort_inline etc takes the packets to user space for > processing. > Hogwash differs from the snort_inline in the way it takes packets to user > space. It also uses the same snort engine for processing. > > If any differ please point out, Iptables and snort_inline may not be a > complete solution. As I said earlier, > the box requires more than IPtables. > > > Regards, > Ravi > > > > > At 04:30 PM 9/29/03 +0800, Alvin Wong wrote: > >Hi, > > > >I'm interested to find out if anyone can share their experiences or > >recommend a network hardware IPS that is deployed in front of the > >gateway which is able to detect attack signatures and at the same time, > >actively blocking out these attacks, alerting me in the process. > > > >This would be different from a passive IDS which depends on correlating > >the logs every time an alert pops up. An ideal solution would be to be > >able to detect the patterns and prevent them automatically, can a > >network IPS do this? > > > >I understand that it is possible in some IDS to do a TCP reset after one > >had confirmed that the connection is not acceptable, can anyone explain > >whether an IDS that can do this be actually "active" as opposed to > >passive? > > > >It would also be interesting if there could be some amount of trend > >analysis built in which can review the destination/source ip traffic > >over time, which can be used to identify particular boxes which are > >easily targeted, which would mean that more work needs to be done for > >that box. > > > >Regards, > >Alvin > > > > > >> >----------------------------------------------------------------------- ----> >Captus Networks IPS 4000 > >Intrusion Prevention and Traffic Shaping Technology to: > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > > - Automatically Control P2P, IM and Spam Traffic > > - Precisely Define and Implement Network Security & Performance Policies > >FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo > >http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101> >----------------------------------------------------------------------- ----> > The Views Presented in this mail are completely mine. The company is not > responsible for what so ever. > > ---------- > Ravi Kumar CH > Rendezvous On Chip (I) Pvt Ltd > Hyderabad, INDIA > > ROC HOME PAGE: > http://www.roc.co.in > > > > --------------------------------------------------------------------------- > Captus Networks IPS 4000 > Intrusion Prevention and Traffic Shaping Technology to: > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Precisely Define and Implement Network Security & Performance Policies > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 > --------------------------------------------------------------------------- >
The Views Presented in this mail are completely mine. The company is not responsible for what so ever.
---------- Ravi Kumar CH Rendezvous On Chip (I) Pvt Ltd Hyderabad, INDIA ROC HOME PAGE: http://www.roc.co.in --------------------------------------------------------------------------- Captus Networks IPS 4000Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance PoliciesFREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Current thread:
- RE: Network hardware IPS Davis, Scott L (Oct 02)
- Re: Network hardware IPS Stefano Zanero (Oct 06)
- <Possible follow-ups>
- Re: Network hardware IPS Darren Bolding (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)