Re: stateful vs stateless

[Jet <yenjet () gmail com>]

Hi Jochen, let me expand your question a bit to make it clearer.

On Fri, 19 Nov 2004 12:35:51 +0100, Jochen Vogel <jvogel () it-sec de> wrote:
> hi,
>
> -what are doing the stateful and stateless doing exactly in an IPS?
> -what are the differences?
> -how is the behaviour in an high availabilty environment?

1. How exactly the stateful and stateless doing in an IPS?

Depend on the location of the IPS. 
If the IPS is behind a stateful firewall, then not much differences.
If the IPS is not behind any firewall or merely protected by stateless
firewall, then: -
- Stateful feature helps to reduce false alarm.
- Stateful feature helps to speed up the detection process

2. What are the differences between stateful and stateless in an IPS?

Both the stateful and stateless are happened at the detection process,
not at the protection/prevention process. Their differences should be
very clear.
Stateless detection might contain higher rate of false alarm.

3. How should them behave in an HA environment?

I haven't experienced any IPS in a HA network.
And I will let other expert to answer this better.
Anyway, I think the IPS should assume everything are stateless.

-- 
Jet

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------