Re: Snort& Intrusion Prevention

[Frank Knobbe <frank () knobbe us>]

On Wed, 2004-06-02 at 08:10, Maetzky, Steffen (Extern) wrote:
> 2. If I use guardian or snortsam snort is still passiv and doesn't drop
> packets but sessions are closed over a special period.
> Guardian and snortsam reconfigure an active firewall directly.
> -> DoS possible

That's why I included countermeasures in Snortsam to avoid DoS
conditions. Snortsam is a reactive system (as opposed to an inline,
active system). The advantage is that you can do block all traffic to or
from (or both) from that host. Besides the obvious "blocking all access
to the host" type block, you can also perform isolation blocks. That
means that it can do these things that you would do anyway -- isolating
compromised hosts for later analysis -- just in an automated fashion.
(Imagine your hacked web server getting quarantined as 4am
automatically...). Or it can aid in policy enforcement where internal
hosts get punished with a block from the Internet for certain actions.
Or automatically block unknown new hosts.
(I could go on as there are plenty more scenarios where Snortsam can be
helpful).

An inline-IPS can only block on it's own wire. Using Snortsam you could
block one attacker on a multitude of firewalls. Consider this scenario:
You have 20 Snort sensors and 8 firewalls, controlled by 5 Snortsam
agents. If an intruder gets detected on any of the 20 sensors, he can be
blocked on all 8 firewalls. Or consider an internal PC infected with a
worm. If Snortsam detects it, it can isolate that workstation from the
rest of the network in a snap.

The ability to act upon more than just the monitored segment
differentiates reactive systems like Snortsam from inline devices.

Hope this helps.
Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part