RE: Top IPS vendors - please read for invitation to Network World review.

• Previous message: Stephen P. Berry: "Re: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Mark Teicher'" <mht3@earthlink.net>, "'Zach Forsyth'" <Zach.Forsyth@kiandra.com>, "'Paul Schmehl'" <pauls@utdallas.edu>, <focus-ids@securityfocus.com>, <seth.knox@sygate.com>
Date: Fri, 29 Aug 2003 11:14:26 +0200

That is exactly what an IPS product should NOT consist of.

And that is where *I* believe there is room for a distinction - not just
a marketing one - between IDS and IPS.

A true IPS product (true in the sense that is complies with the
requirements to belong to this new little sub-group of security products
which may have been defined by techies or may have been defined by
marketing guys but who really cares? See where I am coming from on this?
Who cares? As long as it does the job....) will work in-line and drop
packets/connections immediately the suspicious traffic is detected (with
some additional intelligence to take care of things like SMTP servers
retrying forever, which was mentioned earlier in these threads - they
are not THAT stupid!)

TCP Resets and ICMP Unreachable packets and reconfiguring firewalls do
*NOT* contribute IPS IMHO - they are the best stab that a passive IDS
device can make at mitigating potential damage.

Regards,

Bob Walder
The NSS Group

www.nss.co.uk

>> -----Original Message-----
>> From: Mark Teicher [mailto:mht3@earthlink.net]
>> Sent: 28 August 2003 07:40
>> To: Zach Forsyth; Paul Schmehl; focus-ids@securityfocus.com;
>> seth.knox@sygate.com
>> Subject: RE: Top IPS vendors - please read for invitation to
>> Network World review.
>>
>>
>> Zach,
>>
>> You are exactly correct, PREVENTION is key to the
>> technology, most IPS
>> products that are available today have an underlying IDS
>> piece with some
>> basic PREVENTION functionality (i.e. TCP SNIPE, TCP RESET),
>> but not enough
>> PREVENTION to fully analyze the transaction. IPS are not
>> easily applicable
>> to SAP based applications..
>>
>> /mark
>>
>> At 10:36 PM 8/27/2003, Zach Forsyth wrote:
>>
>> > >-----Original Message-----
>> > >From: Mark Teicher [mailto:mht3@earthlink.net]
>> > >Sent: Wednesday, 27 August 2003 22:30 PM
>> > >To: Paul Schmehl; focus-ids@securityfocus.com;
>> seth.knox@sygate.com
>> > >Subject: Re: Top IPS vendors - please read for invitation
>> to Network
>> >World review.
>> > >
>> > >
>> > >The real question I have is what defines an IPS product versus an
>> > >IDS..
>> >IDS
>> > >is obvious, but IPS, it is a very tough definition
>> >
>> >Intrusion DETECTION system
>> >
>> >Intrusion PREVENTION system
>> >
>> >Seems fairly fundamental to me...I think I know what you
>> are trying to
>> >say though, keep referring back to the word prevention :)
>>
>>
>> -------------------------------------------------------------
>> --------------
>> Attend Black Hat Briefings & Training Federal, September
>> 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
>> VA; the world’s premier
>> technical IT security event. Modeled after the famous Black
>> Hat event in
>> Las Vegas! 6 tracks, 12 training sessions, top speakers and
>> sponsors.
>> Symanetc is the Diamond sponsor. Early-bird registration
>> ends September 6 Visit: www.blackhat.com
>> -------------------------------------------------------------
>> --------------
>>
>>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

• Previous message: Stephen P. Berry: "Re: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]