Re: Network IDS

From: Frank Knobbe (frank_at_knobbe.us)
Date: 08/28/03

  • Next message: Mark Teicher: "Re: Network IDS" 
    To: Mark Teicher <mht3@earthlink.net>
Date: Thu, 28 Aug 2003 11:18:26 -0500

    On Thu, 2003-08-28 at 06:15, Mark Teicher wrote:
    > Again off the beaten path, your description below is a HoneyPot, not an IPS

    > At 01:15 PM 8/27/2003, Frank Knobbe wrote:
    > >Another idea you could use this for is automated containment of
    > >intrusions. Yeah, your box may be hacked by the time the IDS analyzes
    > >the packet, but the reaction (i.e. firewall config) can be done to
    > >automatically isolate that box so that the hacker can't get in or worms
    > >break out. Same thing you would do by hand, except the IDS does it for
    > >you much faster and at 4am when you're not there.

    Howdy Mark,

    I'm not sure that this fits a honeypot exactly. Honeypots (and I'm sure
    Lance will correct me quickly where I'm wrong ;) main or original
    purpose was to detect unauthorized happenings, and in some cases maybe
    even attract them or through sheer presence distract from the real
    jewels. It is more focused on identifying the attacker, not protecting
    the host it is installed on. (though through it's installation it is
    protecting the network.... )

    There are some tools, like Bait'n'Switch and will actually protect
    networks by rerouting/blocking an intruder that put his fingers into the
    honeypot. Other solutions are more host based (i.e. HIPS) but I haven't
    seen a lot of network based solution aimed at identifying and isolating
    hacked systems. But again, when talking about these technologies, we're
    getting off the path we're on. I just doubt that we are on a honeypot
    path.

    Cheers,
    Frank

  • Next message: Mark Teicher: "Re: Network IDS"