H/N IPS -what is there?

From: Talisker (talisker@networkintrusion.co.uk)
Date: 12/11/02

  • Next message: Bennett Todd: "Re: Crossover Error Rate (WAS "Intrusion Prevention")" 
    From: "Talisker" <talisker@networkintrusion.co.uk>
To: <focus-ids@securityfocus.com>
Date: Wed, 11 Dec 2002 22:09:31 -0000

    Hi
    I posted this a few days back on fw-wiz but it never appeared, if it does,
    please accept my apologies for cross posting, with the current thread on
    Prevention Systems it seemed appropriate

    It's that time when I need to seriously look at updating the site.
    http://www.networkintrusion.co.uk
    Two new categories will be Host and Network Intrusion Prevention Systems, or
    to be more precise Corporate IPS.

    Firstly the definitions; by Corporate I mean that they can be managed
    remotely and they will report into a central console ie not just the local
    host.

    Intrusion Prevention System (IPS). More proactive than the traditional
    IDS, they actively block traffic deemed as malicious, almost like a firewall
    but using IDS techniques to block an attack.

    Host IPS. A HIPS will block an attack aimed at the Host upon which it is
    situated, previous names for a HIPS have included Network Node IDS (NNIDS)
    or personal firewall. To quote nss
    "It binds closely with the operating system kernel and services, monitoring
    and intercepting system calls to the kernel or APIs in order to prevent
    attacks".
    A HIPS should not to be confused with a HIDS which looks at the host Event
    or Sys logs, though many HIPS incorporate HIDS and File Integrity Checking.
    examples of HIPS are: Entercept and Intrusion's SHS (Stormwatch)

    Network IPS. What used to be called an inline IDS, it's an IDS with 2
    interfaces, it will block those packets that trigger the criteria laid down
    by the IDS. examples TippingPoint UnityOne and RealSecure Guard

    I'm hoping to get the pages up with a general overhaul over Christmas, my
    real job is keeping me too busy these days, so many incidents, so little
    time!

    I'm looking for a good starting place and therefore looking for lists
    containing HIPS and NIPS to start me off on the research, in return I will
    collate all the information and feed a summary back into the list.

    Bibliography: NSS http://www.nss.co.uk who have just published a review on
    gigabit IDS

    take care, and cheers for any time you can spare
    -andy
    Taliskers Network Security Tools
    http://www.networkintrusion.co.uk

    Relevant Pages

    • Re: Host based IDS methodology and testing
      ... Host based IDS methodology and testing ... >Any production experience with any of the above products, ... Time delays in reporting alerts are often very dependent on the ...
      (Focus-IDS)
    • RE: Host based IDS methodology and testing
      ... I've successfully deployed Snort as a HIDS on a number of production servers ... Host based IDS methodology and testing ...
      (Focus-IDS)
    • Re: IDS is dead, etc
      ... > wouldn't call 'em an IDS, I think they're something different, much ... the host. ... Ensure Reliable Performance of Mission Critical Applications ... Precisely Define and Implement Network Security and Performance Policies ...
      (Focus-IDS)
    • [fw-wiz] Corporate H/N IPS
      ... Two new categories will be Host and Network Intrusion Prevention Systems, ... IDS, they actively block traffic deemed as malicious, almost like a firewall ... previous names for a HIPS have included Network Node IDS ...
      (Firewall-Wizards)
    • RE: Changes in IDS Companies?
      ... Next generation IDS,also being called Intrusion ... Prevention Systems or Perimeter Security devices are the next step in the ... Just noticing some changes with some known IDS companies and wanted some ...
      (Focus-IDS)
    • Quantcast