Re: [fw-wiz] Corporate H/N IPS
From: Crispin Cowan (crispin@wirex.com)
Date: 12/13/02
- Next message: Carson Gaspar: "Re: [fw-wiz] Corporate H/N IPS"
- Previous message: t: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Talisker: "[fw-wiz] Corporate H/N IPS"
- Next in thread: Carson Gaspar: "Re: [fw-wiz] Corporate H/N IPS"
- Reply: Carson Gaspar: "Re: [fw-wiz] Corporate H/N IPS"
- Reply: Talisker: "Re: [fw-wiz] Corporate H/N IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Crispin Cowan <crispin@wirex.com> To: Talisker <talisker@networkintrusion.co.uk> Date: Fri Dec 13 21:21:01 2002
Talisker wrote:
>Intrusion Prevention System (IPS). More proactive than the traditional
>IDS, they actively block traffic deemed as malicious, almost like a firewall
>but using IDS techniques to block an attack.
>
EXACTLY like a firewall, only they look at higher level aplication
protocols than classic packet filtering firewalls. I.e. they are exactly
like the older application proxy firewalls.
>Host IPS. A HIPS will block an attack aimed at the Host upon which it is
>situated, previous names for a HIPS have included Network Node IDS (NNIDS)
>or personal firewall. To quote nss
>"It binds closely with the operating system kernel and services, monitoring
>and intercepting system calls to the kernel or APIs in order to prevent
>attacks".
>
Exactly like secure operating systems, or security-enhanced operating
systems. Again, there is nothing fundamentally new here, just that the
techniques have advanced. The technology has improved to provide faster,
finer-grained intrusion prevention (such as Type Enforcement access
control, and StackGuard and FormatGuard compiled-in defenses).
Unfortunately, marketeers are pushing new buzz-words, trying to convince
people that "host intrusion prevention" is some how different from
secure operating systems.
>A HIPS should not to be confused with a HIDS which looks at the host Event
>or Sys logs, though many HIPS incorporate HIDS and File Integrity Checking.
>examples of HIPS are: Entercept and Intrusion's SHS (Stormwatch)
>
True: "intrusion detection" is what you call it when your detector is so
slow or imprecise that it cannot be used for prevention.
>Network IPS. What used to be called an inline IDS, it's an IDS with 2
>interfaces, it will block those packets that trigger the criteria laid down
>by the IDS. examples TippingPoint UnityOne and RealSecure Guard
>
What used to be called a proxy firewall, such as the Firewall Toolkit,
or the Raptor firewall.
>I'm looking for a good starting place and therefore looking for lists
>containing HIPS and NIPS to start me off on the research, in return I will
>collate all the information and feed a summary back into the list.
>
Please include the Immunix Secure OS, which is a linux system protected
with an arsenal of intrusion prevention systems.
Also please consider deprecating the term "intrusion prvention" as
marketing hype. NIPS ::= firewall, and HIPS ::= secure OS.
Crispin
-- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
- application/pgp-signature attachment: stored
- Next message: Carson Gaspar: "Re: [fw-wiz] Corporate H/N IPS"
- Previous message: t: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Talisker: "[fw-wiz] Corporate H/N IPS"
- Next in thread: Carson Gaspar: "Re: [fw-wiz] Corporate H/N IPS"
- Reply: Carson Gaspar: "Re: [fw-wiz] Corporate H/N IPS"
- Reply: Talisker: "Re: [fw-wiz] Corporate H/N IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
