RE: Top IPS vendors - please read for invitation to Network World review.

From: Bob Walder (bwalder_at_spamcop.net)
Date: 08/29/03

  • Next message: Daniel Cid: "Re: Top IPS vendors - please read for invitation to Network World review."
    To: "'Mark Teicher'" <mht3@earthlink.net>, "'Zach Forsyth'" <Zach.Forsyth@kiandra.com>, "'Paul Schmehl'" <pauls@utdallas.edu>, <focus-ids@securityfocus.com>, <seth.knox@sygate.com>
    Date: Fri, 29 Aug 2003 11:14:26 +0200
    
    

    That is exactly what an IPS product should NOT consist of.

    And that is where *I* believe there is room for a distinction - not just
    a marketing one - between IDS and IPS.

    A true IPS product (true in the sense that is complies with the
    requirements to belong to this new little sub-group of security products
    which may have been defined by techies or may have been defined by
    marketing guys but who really cares? See where I am coming from on this?
    Who cares? As long as it does the job....) will work in-line and drop
    packets/connections immediately the suspicious traffic is detected (with
    some additional intelligence to take care of things like SMTP servers
    retrying forever, which was mentioned earlier in these threads - they
    are not THAT stupid!)

    TCP Resets and ICMP Unreachable packets and reconfiguring firewalls do
    *NOT* contribute IPS IMHO - they are the best stab that a passive IDS
    device can make at mitigating potential damage.

    Regards,

    Bob Walder
    The NSS Group

    www.nss.co.uk

    >> -----Original Message-----
    >> From: Mark Teicher [mailto:mht3@earthlink.net]
    >> Sent: 28 August 2003 07:40
    >> To: Zach Forsyth; Paul Schmehl; focus-ids@securityfocus.com;
    >> seth.knox@sygate.com
    >> Subject: RE: Top IPS vendors - please read for invitation to
    >> Network World review.
    >>
    >>
    >> Zach,
    >>
    >> You are exactly correct, PREVENTION is key to the
    >> technology, most IPS
    >> products that are available today have an underlying IDS
    >> piece with some
    >> basic PREVENTION functionality (i.e. TCP SNIPE, TCP RESET),
    >> but not enough
    >> PREVENTION to fully analyze the transaction. IPS are not
    >> easily applicable
    >> to SAP based applications..
    >>
    >> /mark
    >>
    >> At 10:36 PM 8/27/2003, Zach Forsyth wrote:
    >>
    >> > >-----Original Message-----
    >> > >From: Mark Teicher [mailto:mht3@earthlink.net]
    >> > >Sent: Wednesday, 27 August 2003 22:30 PM
    >> > >To: Paul Schmehl; focus-ids@securityfocus.com;
    >> seth.knox@sygate.com
    >> > >Subject: Re: Top IPS vendors - please read for invitation
    >> to Network
    >> >World review.
    >> > >
    >> > >
    >> > >The real question I have is what defines an IPS product versus an
    >> > >IDS..
    >> >IDS
    >> > >is obvious, but IPS, it is a very tough definition
    >> >
    >> >Intrusion DETECTION system
    >> >
    >> >Intrusion PREVENTION system
    >> >
    >> >Seems fairly fundamental to me...I think I know what you
    >> are trying to
    >> >say though, keep referring back to the word prevention :)
    >>
    >>
    >> -------------------------------------------------------------
    >> --------------
    >> Attend Black Hat Briefings & Training Federal, September
    >> 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
    >> VA; the world’s premier
    >> technical IT security event. Modeled after the famous Black
    >> Hat event in
    >> Las Vegas! 6 tracks, 12 training sessions, top speakers and
    >> sponsors.
    >> Symanetc is the Diamond sponsor. Early-bird registration
    >> ends September 6 Visit: www.blackhat.com
    >> -------------------------------------------------------------
    >> --------------
    >>
    >>

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------


  • Next message: Daniel Cid: "Re: Top IPS vendors - please read for invitation to Network World review."