IDS mailing list archives
RE: Wishlist for IPS Products
From: "Paine, Steve" <Steve.Paine () ish com>
Date: Mon, 13 Sep 2004 09:59:46 +0200
Having been through the IPS purchasing cycle, I can input my thoughts. (personal of course) I think the next big step in IPS will be packet correction/content correction. Currently most IPS's are packet-based filters passing or dropping packets only. So my wish for next-gen IPS is: We need to be able to cover content checking for non-time critical flows. Email, HTTP. This will allow to check - cross-site scripting issues. - gzip encoded content checking for html, mime etc. (requires full-stream buffering!) - email viruses/spam signature check For the future: IN effect, the ultimate consumer product would be a combination of all in-line device activities into one unit. However, I cant see these market segments converging very quickly as there's too many people making too much money out of dedicated devices. My ideal in-line policer would have: Basic port-based stateful firewall Intrusion prevention by signature Intrusion prevention by anomoly (using historical traffic profiling) Anti-virus capabilties (offload to external content scanner?) DOS prevention and DOS traceback assistance. Traffic policing/shaping on protocol deep-inspection basis (not just policing TCP port numbers - this is a requirement for the ever-moving P2P polcing challenge) billing/statistics output (for usage based services) Web-site blocking Traffic analysis, growth, projections, analysis - per protocol. Lawful interception interfaces for ISP's. Assymetric traffic capability. Plus all the normal requirements for an in-line device: Gbps throughput. Gigabit ports. (optical) Minimal latency (<2ms) Drop-in architecture (bridge mode) High availability mode (active-standby) Load-sharing mode (active-active) 240v or 48v operation with dual PSU. Management lan interface (10/100) Graphical user interface Syslog output. SNMP trap output. SNMP management capability. NTP time syncing. 19" rack mountable Live update of ruleset and signatures. (no downtime) Minimal downtime for OS upgrades. Hope this helps the manufacturers. It probably helps those looking for a device too!! Steve. -----Original Message----- From: PS R [mailto:secureyourself () gmail com] Sent: Friday, September 10, 2004 4:18 PM To: focus-ids () securityfocus com Subject: Wishlist for IPS Products I have seen a lot of discussion about the differences between IDS, IPS, and firewalls and the potential for convergence, but I do not recall a discussion on the primary features that an IPS should have out of the box. I am thinking of: - Flow Control - limitations on flooding, unused connections, etc... - Robust, ACURATE signature base - Packet capture - no debate on how much before, as that has been covered - Pre-deployment network analysis tools to accelerate deployment - Anomaly detection - Alert export compatibility with 3rd party event management solutions It seems like discussions of this type can only serve to improve the products on the market (or coming to the market), since we know at least some of the vendors are monitoring this list. Jack -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Wishlist for IPS Products, (continued)
- Re: Wishlist for IPS Products PS R (Sep 14)
- Re: Wishlist for IPS Products Tony Carter (Sep 17)
- Re: Wishlist for IPS Products PS R (Sep 17)
- Re: Wishlist for IPS Products David Maynor (Sep 21)
- Re: Wishlist for IPS Products David Maynor (Sep 20)
- Re: Wishlist for IPS Products David Maynor (Sep 22)
- Re: Wishlist for IPS Products PS R (Sep 24)
- Re: Wishlist for IPS Products David Maynor (Sep 20)