Re: Network hardware IPS

From: Ravi Kumar (ravivsn_at_roc.co.in)
Date: 09/30/03

  • Next message: Anton A. Chuvakin: "RE: "False postive" database idea" 
    Date: Tue, 30 Sep 2003 10:24:57 +0530
To: Alvin Wong <alvin.wong@b2b.com.my>, focus-ids@securityfocus.com

    Hi Alvin,
    Setting up a complete security with all the currently available tools
    IMHO,the set up can look like this

       INTERNET------- Security Gateway device -----CORPORATE network

    Security gateway device should have
             - A stateful pakcet inspection Firewall
               - content filtering and Antivirus
               - and above all Inline IPS. I stress it should be working in
    hand with firewall

    Deploying IDS can only alert you about incoming attacks and by the time we
    react the damage is
    happened. To get good understanding of the entire traffic coming from
    Internet, the correct tap point is
    the gateway of the network. Not to miss a single packet we need
    to process packets inline
    That suggests us for a Inline IDS.Even though security is not completely
    achieved.After we identify the attacks the correct mechanism could be
    blocking them there itself.

    Take the example of snort_inline.
             -Takes the packets from iptables
               - uses snort to detect and
               - blocks the connection by sending TCP resets.
    snort_inline uses libipq to queue the packets to user space. I agree that
    moving packets from user space and back to kernel space consumes lots
    of processing time. The solution could be

              - Inline IPS that works in the Kernel space
       Lots of Inline IDS tools that are available to public works in user
    space. Hogwash, snort_inline etc takes the packets to user space for
    processing.
    Hogwash differs from the snort_inline in the way it takes packets to user
    space. It also uses the same snort engine for processing.

    If any differ please point out, Iptables and snort_inline may not be a
    complete solution. As I said earlier,
    the box requires more than IPtables.

    Regards,
    Ravi

    At 04:30 PM 9/29/03 +0800, Alvin Wong wrote:
    >Hi,
    >
    >I'm interested to find out if anyone can share their experiences or
    >recommend a network hardware IPS that is deployed in front of the
    >gateway which is able to detect attack signatures and at the same time,
    >actively blocking out these attacks, alerting me in the process.
    >
    >This would be different from a passive IDS which depends on correlating
    >the logs every time an alert pops up. An ideal solution would be to be
    >able to detect the patterns and prevent them automatically, can a
    >network IPS do this?
    >
    >I understand that it is possible in some IDS to do a TCP reset after one
    >had confirmed that the connection is not acceptable, can anyone explain
    >whether an IDS that can do this be actually "active" as opposed to
    >passive?
    >
    >It would also be interesting if there could be some amount of trend
    >analysis built in which can review the destination/source ip traffic
    >over time, which can be used to identify particular boxes which are
    >easily targeted, which would mean that more work needs to be done for
    >that box.
    >
    >Regards,
    >Alvin
    >
    >
    >
    >---------------------------------------------------------------------------
    >Captus Networks IPS 4000
    >Intrusion Prevention and Traffic Shaping Technology to:
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Precisely Define and Implement Network Security & Performance Policies
    >FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    >---------------------------------------------------------------------------

    The Views Presented in this mail are completely mine. The company is not
    responsible for what so ever.

    ----------
    Ravi Kumar CH
    Rendezvous On Chip (I) Pvt Ltd
    Hyderabad, INDIA

    ROC HOME PAGE:
    http://www.roc.co.in

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------

  • Next message: Anton A. Chuvakin: "RE: "False postive" database idea"

    Relevant Pages

    • Re: Political Analysis of Security Products
      ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
      (Pen-Test)
    • RE: IDSIPS that can handle one Gig
      ... make "any sense in real world security policy". ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: Minimize key size for sending only 10 messages
      ... I must not be understanding what you mean by "Computational security" ... and algorithm". ... groups of 10 packets, but each group will use a different session key? ... replay attacks, and against provocations of known-plaintext attacks? ...
      (comp.security.misc)
    • [UNIX] IPv4 Forwarding Doesnt Consult Inbound SPD in KAME-derived IPSec
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... of NetBSD and FreeBSD fail to perform inbound policy checks on packets ... inbound packets violated process security policy ... outbound packets violated process security policy ...
      (Securiteam)
    • Re: an anternative to port-knoking using the OpenBSD pf only
      ... I wish to propose an alternative to port knoking that uses the ... With a tool able to rewrite packets header is ... this is a general security problem or simply a client-side ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)