IDS mailing list archives
Re: Firewalls (was Re: IDS evaluations procedures)
From: Sanjay Rawat <sanjayr () intoto com>
Date: Tue, 26 Jul 2005 12:22:23 +0530
At 01:01 AM 7/26/2005, Devdas Bhagat wrote:
On 22/07/05 14:32 -0700, Swift, David wrote: Only if your "firewall" is a pure packet filter. Why not improve the IPS to disallow all traffic except that which is found to be legitimate. The subset of all traffic which is legitimate is far smaller and deterministic. And then you might as well terminate the connection right there and build a wholly new one which is known to be good. And then market it as a proxy?
hi DevWell...i disagree on the correctness of the sentence "...Why not improve the IPS to disallow all traffic except that which is found to be legitimate...." I think IPS is also meant for this, otherwise its simply an IDS. And more than this, how accurately can we define a legitimate traffic, is of paramount importance. you very well know that DoS traffic also look like legitimate as far as individual packet/connection is concerned. the only thing, which I often get confused with is the line of demarcation between an application firewall (proxy) and IPS. As you mentioned also that make some improvements in the product and market that as proxy. if so, then what is that which we are calling as IPS?
Sanjay
I repeat: everything which is not known good is bad. Any security policy which attempts to enforce otherwise is broken. Oh well, history repeats itself. Devdas Bhagat -----------------------------------------------------------------------
Sanjay Rawat Senior Software Engineer INTOTO Software (India) Private Limited Uma Plaza, Above HSBC Bank, Nagarjuna Hills PunjaGutta,Hyderabad 500082 | India Office: + 91 40 23358927/28 Extn 423 Website : www.intoto.com Homepage: http://sanjay-rawat.tripod.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Firewalls (was Re: IDS evaluations procedures), (continued)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 27)
- RE: Firewalls (was Re: IDS evaluations procedures) Ha, Jason (Jul 27)