Snort mailing list archives

Re: What are the differences between and IPS and IDS?

From: Ganu Skop <skopganu () yahoo com>
Date: Wed, 1 Oct 2003 22:02:39 -0700 (PDT)

Hi,
another add on;
Taken from Jed Haile BlackHat 2002 US Presentation 
(http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-haile-hogwash.ppt)

1.
                        GIDS vs NIDS
GIDS
Acts as network gateway
Stops suspect packets
Prevents successful intrusions
False positives are VERY bad

NIDS
Only observes network traffic
Logs suspect packets and generates alerts
Cannot stop an intruder
False positives are not as big of an issue

2.
IPS - Active
IDS - Passive

-skopganu


Ravi Kumar wrote:

Hi,

IDS taps for packets and  alerts about a attack. IDS

 can tap at different

points in the network and sends logs to a central

database to analyse

the logs.

Inline IPS  runs in the gateway of the network. It

uses the same IDS search

engine and detection engine to detect attacks.

        - IPS blocks connections by sending TCP

Reset or ICMP error

message to the sender.

        - Second way is to set policies in the

firewall to block

particular connection



Drawbacks with IDS: by the time responder reacted

damage would have been

occured

With inline IPS: lots of processing time



Regards,

Ravi

In short, an IPS actively blocks packets which

appear to be a part of an

attack. It's behavior is a bit like a firewall in

that respect, but it

inspects application layer data instead of

header-layer data.

 It should however be noted that an IPS is NOT a

firewall replacement.

An IDS notes that an offending packet occurred, but

does nothing other

than log the event.

An IPS has the advantage of actively preventing

attacks, but has the

drawback of reducing network throughput (each

packet has to be inspected

before it is passed on) and also possibly blocking

legitimate traffic.

An IDS doesn't slow down the rate of data flowing

into your network,

since

it's merely a tap and network data doesn't go

through it, but has the

drawback of only telling you about attacks after

the fact.




__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: What are the differences between and IPS and IDS?, (continued)
- - Message not available
    - Re: What are the differences between and IPS and IDS? Matt Kettler (Oct 01)
    - Re: What are the differences between and IPS and IDS? Ravi Kumar (Oct 01)
    - block connections in IPS Ravi Kumar (Oct 01)
    - Re: block connections in IPS Geoff (Oct 01)
    - RE: block connections in IPS Michael Steele (Oct 02)
    - Re: block connections in IPS Ravi Kumar (Oct 02)
    - Re: block connections in IPS Geoff (Oct 02)
    - Re: block connections in IPS Ravi Kumar (Oct 02)
    - Re: block connections in IPS Matt Kettler (Oct 03)
- RE: What are the differences between and IPS and IDS? Michael Steele (Oct 01)
- Re: What are the differences between and IPS and IDS? Ganu Skop (Oct 04)