Re: Network hardware IPS

[david maynor <david.maynor () oit gatech edu>]

On Thu, 2003-10-02 at 13:15, Gary Flynn wrote:
> Ron Gula wrote:
>
> > If you are
> > the type of NIDS fellow who likes to tweak signatures and SSH into your box
> > to check the logs, it's not for you.
>
> I can't imagine installing any type of IDS/IDP device today that wouldn't
> allow me to examine and tune existing signatures and create new ones. In
> my environment communication needs vary too much and signature analysis is
> too inexact to depend upon a vendor's black box. In addition, the ability
> to instantly react to new threats at the local level in ways that are unique
> to a particular organization's environment seems, to me, to be invaluable.
> That has been a strength of both Nessus and Snort. Can you imagine either if
> all signatures were hidden from us and locked in stone?
I wouldn't like it but I can see it happening. It is more likely to come
from security companies that fund alot of research into vulndev and they
consider their sigs to be company secrets. Think about the last
marketing pitch for IDSes you have been through, "we detect far more
attacks than anybody else." You don't have the same punch when your
marketing is "we detect everything everybody else does." 

-David Maynor



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------