IDS mailing list archives
RE: Changes in IDS Companies?
From: Mike Shaw <mshaw () wwisp com>
Date: Fri, 18 Oct 2002 09:56:38 -0500
At 01:02 PM 10/17/2002 -0400, Oliver Petruzel wrote:
One problem that I'm seeing is a lack of understanding of IPS and its true definition. IMNSHO, there must always be the 'H', as in 'HIPS'. There can not be an "inline", or NIPS, which will be very effective, due to encryption on the wire. The IPS systems MUST be placed at the host. Anything else is truly just old NIDS technology sending traps on "obvious" attacks.
I disagree. You're assuming the only type of NIDS rules are signature based, and that all NIDS is high up in OSI. But there are some very effective intuitive NIDS things.
For instance, put a rule in that fires when your database server attempts to contact any outside destination. Sure the firewall will (should) stop this, but what if an intruder has figured out a way through the firewall? Put a rule in that fires when the database server makes *any* suspicious/unexpected connection to internal boxes as well.
This is just one thing off the top of my head. If all you're doing is loading a bunch of signatures written off-site, then you have a pretty weak IDS strategy and your IPS strategy will cause more headaches than anything. A good strategy must involve custom rules written for the environment. IMO these custom rules are where IPS should reside.
-Mike
Current thread:
- Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- Re: Changes in IDS Companies? scottw (Oct 16)
- Re: Changes in IDS Companies? Aaron Turner (Oct 16)
- RE: Changes in IDS Companies? Rob Shein (Oct 23)
- Re: Changes in IDS Companies? Aaron Turner (Oct 23)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- RE: Changes in IDS Companies? J. Foobar (Oct 16)
- RE: Changes in IDS Companies? Karl Lynn (Oct 16)
- RE: Changes in IDS Companies? Chris Petersen (Oct 16)
- Re: Changes in IDS Companies? roy lo (Oct 16)
- RE: Changes in IDS Companies? Oliver Petruzel (Oct 17)
- RE: Changes in IDS Companies? Mike Shaw (Oct 18)
- Re: Changes in IDS Companies? Frank Knobbe (Oct 18)
- Re: Changes in IDS Companies? Raistlin (Oct 31)
- Re: Changes in IDS Companies? Scott Wimer (Oct 31)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)