IDS mailing list archives
RE: Excluding the bulk of UDP from IPS processing - What's the impact?
From: "Addepalli Srini-B22160" <saddepalli () freescale com>
Date: Wed, 26 Aug 2009 13:06:51 -0700
I imagine that you want to reduce the load on IPS. If you are looking to protect any UDP Servers such as IKE, NFS, SIP, L2TP etc.., it is typically expected that IPS inspects the traffic of UDP sessions that were initiated by un-trusted machines. Since many IPS devices are stateful in nature, it is necessary to send packets from both client-to-server and server-to-client of these sessions to IPS devices. That is, I don't think sending the Out-to-in traffic alone is not good enough due to statefulness of IPS devices. If IPS device is inline with the firewall, then I guess it is not a problem as it gets hold of all packets anyway. But, if it offline IPS device, then firewall should have intelligence to pass traffic of these sessions to IPS device. Thanks Srini +++++++++++++++++++++++++++++++ Srinivasa Rao Addepalli Chief Software Architect Software Products Division Freescale Semiconductor Inc. Ph: 408-904-2761 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bikram Gupta Sent: Wednesday, August 26, 2009 5:17 AM To: focus-ids () securityfocus com Subject: Excluding the bulk of UDP from IPS processing - What's the impact? Scenario: Perimeter IPS deployment, with Stateful firewall at the egress point. Traffic from out to in: Firewall will block all unsolicited UDP ports. For the UDP ports where traffic is allowed (RTP data etc) through firewall, do I have to pass it though IPS engine? Will there be cases of exploits in such cases? Some examples please. Traffic from in to out: I believe IPS processing for UDP flows must be enabled here.. to detect some of the p2p, IM, skype, trojan etc traffic. I am trying to understand the impact, if I bypass the UDP flows from IPS device? Can this be done realistically for some UDP traffic (in->out, out->in), or NONE? Thanks a lot. Bikram ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a 17f194 ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Excluding the bulk of UDP from IPS processing - What's the impact? Bikram Gupta (Aug 26)
- RE: Excluding the bulk of UDP from IPS processing - What's the impact? Addepalli Srini-B22160 (Aug 26)
- Re: Excluding the bulk of UDP from IPS processing - What's the impact? Bikram Gupta (Aug 27)
- RE: Excluding the bulk of UDP from IPS processing - What's the impact? Addepalli Srini-B22160 (Aug 28)
- Re: Excluding the bulk of UDP from IPS processing - What's the impact? Bikram Gupta (Aug 27)
- Re: Excluding the bulk of UDP from IPS processing - What's the impact? Jamie Riden (Aug 26)
- Re: Excluding the bulk of UDP from IPS processing - What's the impact? Joel Jaeggli (Aug 26)
- RE: Excluding the bulk of UDP from IPS processing - What's the impact? Addepalli Srini-B22160 (Aug 26)