IDS mailing list archives

Re: CISCOs new IPS

From: ADT <synfinatic () gmail com>
Date: Thu, 6 Jan 2005 22:44:44 -0800

/me sigh

Why do people continue to claim that firewall/router ACL shunning is
an effective attack prevention mechanisim?  So many attacks nowadays
can be contained in a single packet which these "solutions" can't
stop.  Not to mention the obvious race condition which may allow
subsequent packets to pass.

Nobody would try to sell or be willing to buy a "firewall" which
sniffs traffic and updates a router ACL, but yet this is somehow
acceptable as a protection mechanisim for malicious traffic.

WTF?

-Aaron

-- 
http://synfin.net

On Thu, 6 Jan 2005 14:18:10 -0600, Billy Dodson <billy () pmicromart com> wrote:

The cisco IPS is not quite what I thought it was going to be.  The IPS
is intended for use at branch offices or remote users where you would
not normally spring for a fire-walling device.  The IPS is nothing more
then a IOS router with IOS firewall and the IDS engine.  The IPS is just
software that runs on a cisco router.  It can use around 740 signatures
from the cisco IDS to run its "prevention".  It basically turns your
router into a small IDS/firewall.  It will be able to create access
lists or shuns on the fly.  The same as a current cisco IDS works in
conjunction with an IOS router or PIX firewall.  This device is not
intended to be the first line of defense within the network.

The cisco IPS is not replacing the cisco IDS.  The cisco IDS is still a
good product and can be used as a prevention device when used in
conjunction with a router or firewall.  You can configure the sensor to
send commands to the router or firewall to Shun the connection or create
an access list on a router.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Re: CISCOs new IPS loloinfo (Jan 05)
- <Possible follow-ups>
- RE: CISCOs new IPS Billy Dodson (Jan 06)
  - Re: CISCOs new IPS ADT (Jan 08)
  - Re: CISCOs new IPS Krystian Antoni (Jan 08)
  - RE: CISCOs new IPS Gary Halleen (ghalleen) (Jan 10)
- RE: CISCOs new IPS Billy Dodson (Jan 08)
- RE: CISCOs new IPS Scruggs Stephen D SSgt AFWA/SCHS (Jan 12)