RE: Changes in IDS Companies?

[Mike Shaw <mshaw () wwisp com>]

At 01:02 PM 10/17/2002 -0400, Oliver Petruzel wrote:
> One problem that I'm seeing is a lack of understanding of IPS and its
> true definition.  IMNSHO, there must always be the 'H', as in 'HIPS'.
>
> There can not be an "inline", or NIPS, which will be very effective, due
> to encryption on the wire.  The IPS systems MUST be placed at the host.
> Anything else is truly just old NIDS technology sending traps on
> "obvious" attacks.

I disagree.  You're assuming the only type of NIDS rules are signature 
based, and that all NIDS is high up in OSI.  But there are some very 
effective intuitive NIDS things.

For instance, put a rule in that fires when your database server attempts 
to contact any outside destination.  Sure the firewall will (should) stop 
this, but what if an intruder has figured out a way through the 
firewall?  Put a rule in that fires when the database server makes *any* 
suspicious/unexpected connection to internal boxes as well.

This is just one thing off the top of my head.  If all you're doing is 
loading a bunch of signatures written off-site, then you have a pretty weak 
IDS strategy and your IPS strategy will cause more headaches than 
anything.  A good strategy must involve custom rules written for the 
environment.  IMO these custom rules are where IPS should reside.

-Mike