Re: IPS (was: [fw-wiz] Sources for Extranet Designs?)
From: Gary Flynn (flynngn_at_jmu.edu)
Date: 02/28/04
- Previous message: Chris Blask: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
- In reply to: Christopher Lee: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
- Next in thread: Don Parker: "RE: [fw-wiz] Sources for Extranet Designs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 27 Feb 2004 20:35:42 -0500
Christopher Lee wrote:
>I think the phrase "useless" could be a little hash in this case, consider
>what IPS has been expected to do (not what Mr. Stiennon has defined)...
>IPS has been pretty much been expected to weed out the known bad traffics on
>your network, such as control/compartmenting the spreading of viruses. In
>that scenario, it is not difficult for someone to code up a signature that
>looks for these type of behaviour in a sequence of packets, which requires
>no "real" packet/session reassembly. This approach, in my own humble
>opinion, is no different than how most AV software looks for malware (not
>viruses, which attaches itself to "any" executables) these days.
>Obviously, this approach has its own shortcoming (just ask the Exchange
>administrators who lost their information store database to poorly
>configured AV software).
>
Kind of a side note to your example:
Virus handling is best done on a device that proxies an actual SMTP
server. If you block or drop an SMTP session at a lower layer in the
middle of an SMTP transaction due to one message containing a virus,
it may queue up on the sending mail server and block all messages
behind it for quite a while.
Also, and I speak from experience, if you drop worm carrying packets
with an IDP when they're coming in hot and heavy, you better send a reset
to the server to tear down the session or the number of open SMTP
sessions will do bad things to the server. :)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chris Blask: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
- In reply to: Christopher Lee: "RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
- Next in thread: Don Parker: "RE: [fw-wiz] Sources for Extranet Designs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
