Snort mailing list archives
Re: [Snort-devel] IDS vs IPS
From: Jeff Nathan <jeff () snort org>
Date: Sat, 30 Aug 2003 17:16:00 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1I chopped a lot of the traffic from this thread purposely as the responses were getting a bit length. :)
Frank, I've looked at your feature matrix and I'd wanted to add a couple of extra criteria. Namely, stream reassembly and full IP defragmentation. Typically, a firewall only needs to defragment enough of an IP packet to get the network and transport header. Also, even a sophisticated firewall doesn't need to perform stream reassembly. Most often, a sophisticated firewall would watch the sequence numbers and acknowledgment numbers passed back and forth to make sure it was enforcing TCP states fully (ie: making sure a given TCP segment falls within the window of acceptable sequence numbers).
I think many people would be surprised to learn how few products operate at even this level of sophistication. Before we take the plunge into giving firewall vendors too much credit, we should paraphrase Dennis Miller: comparing a firewall to a NIDS is like showing an ancient people the movie ice age; much like the ancient people would be shocked at a vision of the future the firewall is strikingly non-evolved when compared to NIDS.
- -Jeff - -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/UT5FEqr8+Gkj0/0RAgMZAKC4ZAff/4XwhF0YQoNqalkSD7iMjACdGh+u 7x+NwKa/Z3J9vs5MpLg0nW4= =Srqv -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS, (continued)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
- Re: Re: [Snort-devel] IDS vs IPS Gary Flynn (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Georges J. Jahchan, Eng. (Aug 29)
- Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)