Re: Network hardware IPS

[Alvin Wong <alvin.wong () b2b com my>]

Hi Ravi,

Thanks for sharing your opinions. Do you have a particular Inline IPS to
recommend or can share experiences with IPS?

Regards,
Alvin

On Tue, 2003-09-30 at 12:54, Ravi Kumar wrote:
> Hi Alvin,
> Setting up a complete security with all the currently available tools
> IMHO,the set up can look like this
>
>    INTERNET------- Security Gateway device -----CORPORATE network
>
> Security gateway device should have
>          - A stateful pakcet inspection Firewall
>            - content filtering and Antivirus
>            - and above all Inline IPS. I stress it should be working in 
> hand with firewall
>
> Deploying IDS can only alert you about incoming attacks and by the time we 
> react the damage is
> happened. To get good understanding of the entire traffic coming from 
> Internet, the correct tap point is
> the gateway of the network. Not to miss a single packet we need 
> to  process  packets inline
> That suggests us for a Inline IDS.Even though security is not completely 
> achieved.After we identify the attacks the correct mechanism could be 
> blocking them there itself.
>
> Take the example of snort_inline.
>          -Takes the packets from iptables
>            - uses snort to detect and
>            - blocks the connection by sending TCP resets.
> snort_inline uses libipq to queue the packets to user space. I agree that 
> moving packets from user space and back to kernel space consumes lots 
> of  processing time. The solution could be
>
>           - Inline IPS that works in the Kernel space
>    Lots of Inline IDS tools that are available to public works in user 
> space. Hogwash, snort_inline etc takes the packets to user space for 
> processing.
> Hogwash differs  from the snort_inline in the way it takes packets to user 
> space. It also uses the same snort engine for processing.
>
> If any differ please point out, Iptables and snort_inline may not be a 
> complete solution. As I said earlier,
> the box requires more than IPtables.
>
>
> Regards,
> Ravi
>
>
>
>
> At 04:30 PM 9/29/03 +0800, Alvin Wong wrote:
> > Hi,
> >
> > I'm interested to find out if anyone can share their experiences or
> > recommend a network hardware IPS that is deployed in front of the
> > gateway which is able to detect attack signatures and at the same time,
> > actively blocking out these attacks, alerting me in the process.
> >
> > This would be different from a passive IDS which depends on correlating
> > the logs every time an alert pops up. An ideal solution would be to be
> > able to detect the patterns and prevent them automatically, can a
> > network IPS do this?
> >
> > I understand that it is possible in some IDS to do a TCP reset after one
> > had confirmed that the connection is not acceptable, can anyone explain
> > whether an IDS that can do this be actually "active" as opposed to
> > passive?
> >
> > It would also be interesting if there could be some amount of trend
> > analysis built in which can review the destination/source ip traffic
> > over time, which can be used to identify particular boxes which are
> > easily targeted, which would mean that more work needs to be done for
> > that box.
> >
> > Regards,
> > Alvin
> >
> >
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> >  - Automatically Control P2P, IM and Spam Traffic
> >  - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
>
> The Views Presented in this mail are completely mine. The company is not 
> responsible for what so ever.
>
> ----------
> Ravi Kumar CH
> Rendezvous On Chip (I) Pvt Ltd
> Hyderabad, INDIA
>
> ROC HOME PAGE:
> http://www.roc.co.in
>
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to: 
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------