IDS mailing list archives
Re: NIPS Vendors explicit answer
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 26 Apr 2004 19:04:14 -0500
On Mon, 2004-04-26 at 18:53, Vikram Phatak wrote:
There are many reasons for not immediately remediating a vulnerability by patching a system - (1) not enough time, (2) it may break an application you rely on, (3) not allowed to touch the system until the maintenance window, and so on. As far as focusing on the vulnerabilities... Focusing on the vulnerabilities enables us to protect systems until they are patched. Preventing vulnerabilities from being exploited is how we keeps worms and other attacks from successfully compromising systems. If there were no vulnerabilities, there would be little need for Intrusion Prevention.
True. It seems I was focusing on the detection part, not the prevention part. A product that shields existing vulnerabilities from a network does have merit. I think I just question why we need the product. It appears that it would allows us to be more complacent with our networks. Why patch the system when the IPS shields it? There seem to be two sides to the IPS-shielding-the-network approach. I can see where it is useful (especially when running Microsoft products, the latest SSL issue being the perfect example). But at the same time it is only a band-aid until the hosts are patched. Shouldn't we focus our preventative efforts on the hosts? (not dispelling IPS, but we should use it as a substitute for securing systems).
As far as looking the wrong way.... I would argue that some IPS vendors that have not reviewed the mission of IPS versus the mission of IDS are looking the wrong way :-)
Is that why Gartner got confused? ;)
Why not just disallow outgoing traffic from the web server in your firewall? Besides which by the time you detect this behavior the system is already compromised. How does this approach prevent anything from being compromised?
Oh sure, the firewall will hopefully prevent the outbound connection from the web server. But that is traffic that can (and should) be detected. The example (as most of my line of thought) was focused on detection. To restate my sentiments: In my opinion, VA related info should be of no concern for an IDS. However, VA info should be of importance for an IPS. Network behavior should be of importance to an IDS, as well as a flow- based IPS. But aren't flow-based IPS's the same like firewalls? Cheers, Frank PS: Moderator. I hereby request the creation of a SecurityFocus- Intrusion Prevention mail lists... to keep the two beasts apart :)
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- NIPS Vendors explicit answer christian graf (Apr 08)
- Re: NIPS Vendors explicit answer christian graf (Apr 19)
- <Possible follow-ups>
- RE: NIPS Vendors explicit answer Kohlenberg, Toby (Apr 12)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 26)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Message not available
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 28)
- RE: NIPS Vendors explicit answer Frank Knobbe (Apr 30)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 30)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: IDSes and known attacks (was: NIPS Vendors explicit answer) Drexx Laggui (Apr 28)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 28)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 28)