Re: Re: Changes in IDS Companies?
From: Proxy Administrator (proxyadmin@rediffmail.com)Date: 11/01/02
- Previous message: Kohlenberg, Toby: "RE: Changes in IDS Companies?"
- Next in thread: Proxy Administrator: "Re: Re: Changes in IDS Companies?"
- Reply: Proxy Administrator: "Re: Re: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 1 Nov 2002 11:30:58 -0000 From: "Proxy Administrator" <proxyadmin@rediffmail.com> To: "Shaiful" <shaifuljahari@yahoo.com>
Hi,
Maybe I was not able to express myself clearly. I was not picking
on the terminology, I was trying to say that an inline NIDS cannot
become a NIPS.
Let's consider systrace. It does not "detect" intrusions as such,
but it does go a long way in preventing intrusions. This would
make it different from other host IDS (or IPS), which detect
intrusions and by virtue of being inline (system call wrappers,
etc) are able to prevent intrusions. Hope I was clearer this time
around, but I'm not sure if I could convey what I wanted to say
;-)
I am just concerned that we might be passing an IDS off as an
IPS.
Regards,
Proxy Administrator
On Fri, 01 Nov 2002 Shaiful wrote :
>Hi all,
>
>If systrace is like HIPS, so hogwash and the gangs are
>really NIPS. If you have a modified IDS or hogwash
>in-line it is basically a forwarding device with two
>network cards. You don't have to sent RST since you
>can drop packets in between the cards. IMHO, any
>firewall can easily be converted to NIPS since you
>passed all the packets and it is up to you to decide
>whether your rules based on IP header alone or the
>packet content as well. Take for example, the
>Drawbridge packet filter from TAMU which is open
>source and already available for a few years. Nobody
>bothers to write the extension for the application
>filtering until recently the pf author adopted the
>Drawbridge idea to built the new generation firewall
>for OpenBSD.
>
>IMHO, if we keep arguing about the terminology, we
>will never really benefit the security community.
>Since everybody seems to agree IPS is good security
>technology why not concentrate to make it more robust
>and reliable technology with faster performance. We
>already have problem with NIDS performance and I
>presume we will have more performance problems with
>NIPS.
>
>My two cents,
>
>Regards,
>Shaiful Hashim
>Universiti Putra Malaysia
>
>--- Proxy Administrator <proxyadmin@rediffmail.com>
>wrote:
> > Hi,
> >
> > I read a lot of messages which say putting an IDS
> > inline would
> > convert it into an Intrusion Prevention System or
> > something to
> > that effect. This would be true to a certain extent.
> > Putting it
> > inline would make sure that you see all the packets,
> > so you
> > wouldn't miss any attack that it *could* detect.
> > Basically, the
> > solution that is being propagated here is an IDS
> > which is going to
> > take action by resetting connections, blocking IP
> > addresses etc.
> > Still not an actual IPS.
> > I would think that something like "systrace"
> > qualifies as an
> > Intrusion Prevention solution more than an inline
> > IDS. We set
> > rules as to how a privileged process is supposed to
> > behave and
> > anything out of the ordinary would not be allowed.
> > That seems more
> > like Intrusion Prevention than the other solutions,
> > which are
> > detecting intrusions and dropping connections.
> > While "systrace" would in my opinion qualify as a
> > host-based
> > intrusion prevention system, something similar would
> > be needed to
> > qualify as NIPS.
> >
> > Regards,
> >
> > Proxy Administrator
> >
> >
>
>
>__________________________________________________
>Do you Yahoo!?
>HotJobs - Search new jobs daily now
>http://hotjobs.yahoo.com/
- Previous message: Kohlenberg, Toby: "RE: Changes in IDS Companies?"
- Next in thread: Proxy Administrator: "Re: Re: Changes in IDS Companies?"
- Reply: Proxy Administrator: "Re: Re: Changes in IDS Companies?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
