RE: Changes in IDS Companies?

From: Mike Shaw (mshaw@wwisp.com)
Date: 10/18/02 

Date: Fri, 18 Oct 2002 09:56:38 -0500
To: <focus-ids@securityfocus.com>
From: Mike Shaw <mshaw@wwisp.com>

At 01:02 PM 10/17/2002 -0400, Oliver Petruzel wrote:
>One problem that I'm seeing is a lack of understanding of IPS and its
>true definition. IMNSHO, there must always be the 'H', as in 'HIPS'.
>
>There can not be an "inline", or NIPS, which will be very effective, due
>to encryption on the wire. The IPS systems MUST be placed at the host.
>Anything else is truly just old NIDS technology sending traps on
>"obvious" attacks.

I disagree. You're assuming the only type of NIDS rules are signature
based, and that all NIDS is high up in OSI. But there are some very
effective intuitive NIDS things.

For instance, put a rule in that fires when your database server attempts
to contact any outside destination. Sure the firewall will (should) stop
this, but what if an intruder has figured out a way through the
firewall? Put a rule in that fires when the database server makes *any*
suspicious/unexpected connection to internal boxes as well.

This is just one thing off the top of my head. If all you're doing is
loading a bunch of signatures written off-site, then you have a pretty weak
IDS strategy and your IPS strategy will cause more headaches than
anything. A good strategy must involve custom rules written for the
environment. IMO these custom rules are where IPS should reside.

-Mike

Quantcast