IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IPS Futures

From: "Rob Shein" <shoten () starpower net>
Date: Thu, 22 Jul 2004 14:51:13 -0400
Actually, that isn't exactly what a typical IPS is these days.  For example,
by the time a single-packet attack (even if that one packet is TCP and goes
after the handshake) takes place, it's too late to lock down the firewall.
A snort-based IPS would be like what the honeynet project's gen II honeynets
used: snort-inline with hogwash to mangle attacks so they wouldn't work.
The idea isn't to respond to the attack, but rather to actively prevent the
attack from working in the first place, either by not passing it or by
altering it.



-----Original Message-----
From: M Shirk [mailto:shirkdog_linux () hotmail com] 
Sent: Wednesday, July 21, 2004 7:29 AM
To: focus-ids () securityfocus com
Subject: RE: IPS Futures


Basically I you can run an IPS with snort-inline with iptables.

This is great, because I am in control, but what I 
experienced in the real 
CLIENT world is a whole different story. Some of the 
implementations of IDS 
solutions were terrible. I could not trust the same clients 
to actually 
setup the IPS correctly. There is too much of a margin of error.

However, if this is within your own company, it is the way to 
go. IPS is a 
better solution than IDS alone. My paranoia is the real world 
of terrible 
implementation. Example would be a spoofed router for their internet 
connection banging the firewall and the IPS shutsdown all 
trafiic, and the 
Internet connection the company used to have :-)

I would be interested if anyone is a Managaed Service Securty 
Provider and 
has had good luck with installation at remote client sites.

Shirkdog




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: