RE: Re: [Snort-devel] IDS vs IPS

[Frank Knobbe <frank () knobbe us>]

On Fri, 2003-08-22 at 08:35, Bob Walder wrote:
> My 0.02 worth is that a Network IPS (NIPS) is a device with two
> interfaces that operates in-line to detect suspicious traffic and
> INSTANTLY discard the offending packet and the rest of the suspicious
> flow.

Yup, I go with that. I actually like to refer to Snortsam as an
Intrusion Reaction System, but IRS seems to have a negative ring to it
:)  How about Intrusion Containment Systems? ICS? Yeah, that's it.

However, my arm has been twisted to call it an IPS. Yes, it doesn't
prevent the first packet from intruding (say a packet to tcp/135), but
once detected, it will prevent further communication with the intruder,
thus preventing him from doing further damage (i.e. shell commands).
Depending on the signature you could also contain the target. Where
Snortsam shines is the ability to contain that source/target on all you
firewalls. So if a server in the DMZ gets infected with Blaster, you
could have Snortsam reconfigure your DMZ firewall. If a laptop of a
vendor is detected spitting out Blaster, you could have all your
firewalls be configured to isolate that laptop from the rest of your
enterprise.

Snortsam lacks the store'n'forward approach of the normal IPS's (as you
just defined). But those are only single enforcement points. Snortsam
can interact with multiple enforcement points. (i.e. if someone attempts
an exploit on a server in London, you could have him blocked on your
firewalls in London, New York, L.A., Madrid, Tokyo, etc).

Anyhow, just wanted to say that your definition of an IPS was right on.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part