Re: Alarm response strategies

[Tony Carter <tcarter () entrusion com>]

Rob,
Your argument is valid for a signature based IPS. But who makes one of  
those?? That's why you need protocol/anomaly/behavior based IPS. They  
are far less prone to false positives.  Your UDP DOS may have an impact  
on a network without proper security architecture in place but a well  
thought out design/configuration would not be vulnerable to such an  
attack.  At best you would fill up the pipe..

-Tony


On Jul 25, 2004, at 9:35 PM, Rob Shein wrote:

> Given the fact that IDS are prone to false alarms (and easy to make  
> trigger
> with spoofed traffic), it's the general consensus that active  
> responses are
> a bad idea.  For example, if I were to start scanning your network,  
> and find
> myself suddenly blocked at the router or firewall, I would then spoof  
> tons
> of UDP traffic from DNS servers that I believed you might use.  Your
> firewall would then block traffic from them, and bingo, I've just shut  
> down
> your ability to resolve things.
>
> > -----Original Message-----
> > From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu]
> > Sent: Friday, July 23, 2004 3:35 AM
> > To: focus-ids () securityfocus com
> > Subject: Alarm response strategies
> >
> >
> >   Hi all,
> >
> >     May we discuss on which are the strategies that the IPS
> > vendors use to prevent/respond from/to attacks?
> >
> > - When do they change a firewall rule
> > - When to reset a connection
> > - When to create an ACL on a router
> >
> >
> > Are all of the responses used with a logical sense?
> > Should they been used depending on the type of the attack?
> > Only depends on the capability of each vendor?
> > What more strategies are there?
> >
> > Thank you in advance,
> > __________________________________________________
> > MONDRAGON UNIBERTSITATEA
> > Urko Zurutuza
> > Dpto. Informática
> > Loramendi 4 - Aptdo.23
> > 20500 Arrasate-Modragon
> > Tel. +34 943 739636 // +34 943 794700 Ext.297
> > www.eps.mondragon.edu > uzurutuza () eps mondragon edu
> >
> >
> >
> >
> > --------------------------------------------------------------
> > ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world
> > attacks from CORE IMPACT. Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> 0708 to learn more.
> ----------------------------------------------------------------------- 
> ---
>
>
>
> ----------------------------------------------------------------------- 
> ---
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from  
> CORE
> IMPACT.
> Go to  
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> learn more.
> ----------------------------------------------------------------------- 
> ---


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------