Re: IPS (was: Sources for Extranet Designs?)

[Gary Flynn <flynngn () jmu edu>]

Christopher Lee wrote:

> I think the phrase "useless" could be a little hash in this case, consider
> what IPS has been expected to do (not what Mr. Stiennon has defined)...
> IPS has been pretty much been expected to weed out the known bad traffics on
> your network, such as control/compartmenting the spreading of viruses.  In
> that scenario, it is not difficult for someone to code up a signature that
> looks for these type of behaviour in a sequence of packets, which requires
> no "real" packet/session reassembly.  This approach, in my own humble
> opinion, is no different than how most AV software looks for malware (not
> viruses, which attaches itself to "any" executables) these days.
> Obviously, this approach has its own shortcoming (just ask the Exchange
> administrators who lost their information store database to poorly
> configured AV software).
Kind of a side note to your example:

Virus handling is best done on a device that proxies an actual SMTP
server. If you block or drop an SMTP session at a lower layer in the
middle of an SMTP transaction due to one message containing a virus,
it may queue up on the sending mail server and block all messages
behind it for quite a while.

Also, and I speak from experience, if you drop worm carrying packets
with an IDP when they're coming in hot and heavy, you better send a reset
to the server to tear down the session or the number of open SMTP
sessions will do bad things to the server. :)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards