Re: Network IDS

[Frank Knobbe <frank () knobbe us>]

On Thu, 2003-08-28 at 06:15, Mark Teicher wrote:
> Again off the beaten path, your description below is a HoneyPot, not an IPS

> At 01:15 PM 8/27/2003, Frank Knobbe wrote:
> > Another idea you could use this for is automated containment of
> > intrusions. Yeah, your box may be hacked by the time the IDS analyzes
> > the packet, but the reaction (i.e. firewall config) can be done to
> > automatically isolate that box so that the hacker can't get in or worms
> > break out. Same thing you would do by hand, except the IDS does it for
> > you much faster and at 4am when you're not there.


Howdy Mark,

I'm not sure that this fits a honeypot exactly. Honeypots (and I'm sure
Lance will correct me quickly where I'm wrong ;) main or original
purpose was to detect unauthorized happenings, and in some cases maybe
even attract them or through sheer presence distract from the real
jewels. It is more focused on identifying the attacker, not protecting
the host it is installed on. (though through it's installation it is
protecting the network.... )

There are some tools, like Bait'n'Switch and will actually protect
networks by rerouting/blocking an intruder that put his fingers into the
honeypot. Other solutions are more host based (i.e. HIPS) but I haven't
seen a lot of network based solution aimed at identifying and isolating
hacked systems. But again, when talking about these technologies, we're
getting off the path we're on. I just doubt that we are on a honeypot
path.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part