IDS mailing list archives
Re: Network hardware IPS
From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 07 Oct 2003 12:30:17 -0400
david maynor wrote:
I wouldn't like it but I can see it happening. It is more likely to come from security companies that fund alot of research into vulndev and they consider their sigs to be company secrets. Think about the last marketing pitch for IDSes you have been through, "we detect far moreattacks than anybody else."
Agreed and I understand their rationale for that. But I've also seen claims of thousands of sigs that include a fair number of pretty simplistic algorithms which are pretty useless on any type of open network. How is the customer to know if they can't see them? The situation is similar to firewall proxy capabilities but with an order of magnitude more variables and a more fluid state. I'm not saying that a very well researched and tested signature set that can't be seen could be very valuable in some environments, particularly where traffic is well defined. Unfortunately, our Internet connection doesn't fit that catagory. The ability to create and alter signatures in reaction to new threats and incidents has been invaluable. Perhaps two classes of devices will develop. "Closed source" and "open source" which will each have their strengths and weaknesses. Or maybe we'll have devices where the bulk of signatures are visible but some proprietary ones are not. To me, the ability to see and modify the rulesets are a mandatory feature right now, particularly if I'm contemplating blocking traffic that matches a signature. Also, the same flexibility provides a valuable troubleshooting, monitoring, and forensics tool above and beyond the IDS/IDP capabilities. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe --------------------------------------------------------------------------- Captus Networks IPS 4000Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance PoliciesFREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Current thread:
- RE: Network hardware IPS Davis, Scott L (Oct 02)
- Re: Network hardware IPS Stefano Zanero (Oct 06)
- <Possible follow-ups>
- Re: Network hardware IPS Darren Bolding (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)