IDS mailing list archives

RE: Hi, I want to study IPS

From: "Ingevaldson, Dan (ISS Atlanta)" <dsi () iss net>
Date: Fri, 14 May 2004 15:04:20 -0400

Of course it is true that there are no laws that govern what product
should fall into which bucket.  Being an employee of ISS, I can assure
you that ISS RealSecure Network is not marketed or sold as an IPS, but
an IDS.  RealSecure (a passive IDS) has the ability to drop connections
via TCP RSTs just like many other IDSs, but this is a obvious limitation
of the technology.  TCP RSTs are not effective at blocking single-packet
attacks, and obviously cannot block anything that isn't TCP-based.  IDS
technology was not designed to block attacks, and therefore isn't very
good at it.  It is however very good at monitoring segments for
malicious traffic.

The ISS Proventia product line is based upon RealSecure IDS technology
that is deployed on an "inline" appliance.  The acid-test for a network
IPS is if the box is inline or not.  Inline devices can kill
connections, drop packets, or even rewrite packets on the fly no matter
what type or protocol.  In my opinion, there isn't a lot of confusion
out there about what a network-based IPS really is.  Host-based IPS is a
different matter entirely.

------------------
Daniel Ingevaldson
Director, X-Force R&D/PSS
dsi () iss net 
404-236-3160
 
Internet Security Systems, Inc.
Ahead of the Threat
http://www.iss.net

-----Original Message-----
From: Velasquez Venegas Jaime Omar [mailto:jaime () ulima edu pe] 
Sent: Thursday, May 13, 2004 2:46 PM
To: focus-ids () securityfocus com
Subject: RE: Hi, I want to study IPS

Back when I recently was exposed to IPS term , I tried to understand it
and hardly put it in a well-structured categorie of IDS.
When I got into the details each of one does , then I could find out
that there is no a unique definition for such term.
Every vendor will take the best part of other similar technologies and
will call it whatever it wants to call it.
ISS RealSecure can be defined as just an IPS or an IDS even if it has
the ability to drop/reset tcp connections? Yes and No.I mean , by
drop/resetting a connection it is not being a simple sniffer, it is
taking an action indeed.
Now,I try to stick to that IPS definition that says that IPS is:
An Inline Security Device which not only sniffers traffic as much as it
can but the WHOLE traffic goes through it.
It is able to do some action based on Intrustion Engine
(Behaviour/Signature Analysis)

Jaime Velasquez


-----Original Message-----
From: Shawn [mailto:wjveno () shaw ca]
Sent: Thursday, May 13, 2004 00:29
To: 'cto'
Cc: focus-ids () securityfocus com
Subject: RE: Hi, I want to study IPS


IDS and IPS are using the same tools and same abilities. They are
actually the same. IPS came out as a "catch phrase" as a "different"
solution than IDS. Please refer to the recent posting from "Frank
Knobbe" and "Jason" as a reference. Don't get fooled in terminology and
remember there is no "one" solution. Many of us use 4 or 5 types of
systems to pull everything together into an IDS solution. Best of luck
with your task. HAGO.


Wil Veno
wjveno () shaw ca
shawn () whitehats ca

-----Original Message-----
From: cto [mailto:cto () kdds co kr]
Sent: Tuesday, May 11, 2004 7:10 PM
To: focus-ids () securityfocus com
Subject: Hi, I want to study IPS


Hi,
My name is Kyle and developer.

I'm developing a NIPS(Network Intrusion Prevention System).
I wonder what is different between NIDS and NIPS.
Where can I acquire documents or anything that explain NIPS. Please let
me know that.

Have a nice day!!!

PS: I'm sorry for poor English.


----------------------------------------------------------------------
-----

----------------------------------------------------------------------
-----




------------------------------------------------------------------------
---

------------------------------------------------------------------------
---



------------------------------------------------------------------------
---

------------------------------------------------------------------------
---


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

RE: Hi, I want to study IPS, (continued)
- RE: Hi, I want to study IPS Arun Vishwanathan (May 12)
- RE: Hi, I want to study IPS Arun Vishwanathan (May 12)
- RE: Hi, I want to study IPS Josh Mills (May 12)
- RE: Hi, I want to study IPS (infor) urko zurutuza (May 13)
- RE: Hi, I want to study IPS Velasquez Venegas Jaime Omar (May 13)
- Re: Hi, I want to study IPS Greg Martin (May 14)
  - RE: Hi, I want to study IPS Omar Herrera (May 16)
  - Re: Hi, I want to study IPS Raistlin (May 22)
    - Re: Hi, I want to study IPS Greg Martin (May 25)
    - Re: Hi, I want to study IPS Stefano Zanero (May 25)
- RE: Hi, I want to study IPS Ingevaldson, Dan (ISS Atlanta) (May 14)
- RE: Hi, I want to study IPS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 25)
  - Re: Hi, I want to study IPS Ali Rajput (May 26)
    - Testing IDS/IPS Signatures Securecatalyst (May 28)
    - Re: Testing IDS/IPS Signatures Andrea Barisani (May 28)
    - Re: Testing IDS/IPS Signatures Ron Gula (May 28)
    - Re: Testing IDS/IPS Signatures ravivsn (May 31)
- RE: Hi, I want to study IPS Shafi, Shahid (May 26)