Re: Network hardware IPS

From: Ravi Kumar (ravivsn_at_roc.co.in)
Date: 10/02/03

  • Next message: Michael Stone: "Re: port bonding and taps"
    Date: Thu, 02 Oct 2003 09:57:36 +0530
    To: Alvin Wong <alvin.wong@b2b.com.my>
    
    

    Dear Alvin,
    If you agree snort is the best IDS ever then snort_inline is best InlineIPS.
    I agree that some preprocessors are not yet modified according to the need
    of Inline.

    Regards,
    Ravi

    At 11:34 AM 10/2/03 +0800, Alvin Wong wrote:
    >Hi Ravi,
    >
    >Thanks for sharing your opinions. Do you have a particular Inline IPS to
    >recommend or can share experiences with IPS?
    >
    >Regards,
    >Alvin
    >
    >On Tue, 2003-09-30 at 12:54, Ravi Kumar wrote:
    > > Hi Alvin,
    > > Setting up a complete security with all the currently available tools
    > > IMHO,the set up can look like this
    > >
    > > INTERNET------- Security Gateway device -----CORPORATE network
    > >
    > > Security gateway device should have
    > > - A stateful pakcet inspection Firewall
    > > - content filtering and Antivirus
    > > - and above all Inline IPS. I stress it should be working in
    > > hand with firewall
    > >
    > > Deploying IDS can only alert you about incoming attacks and by the time we
    > > react the damage is
    > > happened. To get good understanding of the entire traffic coming from
    > > Internet, the correct tap point is
    > > the gateway of the network. Not to miss a single packet we need
    > > to process packets inline
    > > That suggests us for a Inline IDS.Even though security is not completely
    > > achieved.After we identify the attacks the correct mechanism could be
    > > blocking them there itself.
    > >
    > > Take the example of snort_inline.
    > > -Takes the packets from iptables
    > > - uses snort to detect and
    > > - blocks the connection by sending TCP resets.
    > > snort_inline uses libipq to queue the packets to user space. I agree that
    > > moving packets from user space and back to kernel space consumes lots
    > > of processing time. The solution could be
    > >
    > > - Inline IPS that works in the Kernel space
    > > Lots of Inline IDS tools that are available to public works in user
    > > space. Hogwash, snort_inline etc takes the packets to user space for
    > > processing.
    > > Hogwash differs from the snort_inline in the way it takes packets to user
    > > space. It also uses the same snort engine for processing.
    > >
    > > If any differ please point out, Iptables and snort_inline may not be a
    > > complete solution. As I said earlier,
    > > the box requires more than IPtables.
    > >
    > >
    > > Regards,
    > > Ravi
    > >
    > >
    > >
    > >
    > > At 04:30 PM 9/29/03 +0800, Alvin Wong wrote:
    > > >Hi,
    > > >
    > > >I'm interested to find out if anyone can share their experiences or
    > > >recommend a network hardware IPS that is deployed in front of the
    > > >gateway which is able to detect attack signatures and at the same time,
    > > >actively blocking out these attacks, alerting me in the process.
    > > >
    > > >This would be different from a passive IDS which depends on correlating
    > > >the logs every time an alert pops up. An ideal solution would be to be
    > > >able to detect the patterns and prevent them automatically, can a
    > > >network IPS do this?
    > > >
    > > >I understand that it is possible in some IDS to do a TCP reset after one
    > > >had confirmed that the connection is not acceptable, can anyone explain
    > > >whether an IDS that can do this be actually "active" as opposed to
    > > >passive?
    > > >
    > > >It would also be interesting if there could be some amount of trend
    > > >analysis built in which can review the destination/source ip traffic
    > > >over time, which can be used to identify particular boxes which are
    > > >easily targeted, which would mean that more work needs to be done for
    > > >that box.
    > > >
    > > >Regards,
    > > >Alvin
    > > >
    > > >
    > > >
    > > >-----------------------------------------------------------------------
    > ----
    > > >Captus Networks IPS 4000
    > > >Intrusion Prevention and Traffic Shaping Technology to:
    > > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > > - Automatically Control P2P, IM and Spam Traffic
    > > > - Precisely Define and Implement Network Security & Performance Policies
    > > >FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > > >http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > > >-----------------------------------------------------------------------
    > ----
    > >
    > > The Views Presented in this mail are completely mine. The company is not
    > > responsible for what so ever.
    > >
    > > ----------
    > > Ravi Kumar CH
    > > Rendezvous On Chip (I) Pvt Ltd
    > > Hyderabad, INDIA
    > >
    > > ROC HOME PAGE:
    > > http://www.roc.co.in
    > >
    > >
    > >
    > > ---------------------------------------------------------------------------
    > > Captus Networks IPS 4000
    > > Intrusion Prevention and Traffic Shaping Technology to:
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Automatically Control P2P, IM and Spam Traffic
    > > - Precisely Define and Implement Network Security & Performance Policies
    > > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > > ---------------------------------------------------------------------------
    > >

    The Views Presented in this mail are completely mine. The company is not
    responsible for what so ever.

    ----------
    Ravi Kumar CH
    Rendezvous On Chip (I) Pvt Ltd
    Hyderabad, INDIA

    ROC HOME PAGE:
    http://www.roc.co.in

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Michael Stone: "Re: port bonding and taps"

    Relevant Pages

    • Re: Terminology: Inline IDS, IPS and Application Layer Firewall
      ... In fact, I would say that in most cases, packets are _bridged_ across them. ... You simply stick it inline and it bridges the traffic while sniping/blocking "bad" traffic. ... As to the differences between the 3 terms you mention, let's first make the assumption that IPS refers to an inline IPS. ... Inline IDS could simply refer to an IDS system that gets it's traffic by sitting inline. ...
      (Focus-IDS)
    • Re: Re: Changes in IDS Companies?
      ... I was trying to say that an inline NIDS cannot ... but it does go a long way in preventing intrusions. ... make it different from other host IDS, ... >can drop packets in between the cards. ...
      (Focus-IDS)
    • RE: amount of alarms generated by IDS
      ... You're talking about inline IDS and IPS. ... If an IDS doesn't have the ability to drop packets, ...
      (Focus-IDS)
    • Re: amount of alarms generated by IDS
      ... generates a lot of FPs and drops good packets, ... Third party correlation tools can't help inline IDS at all. ... >>world to tune the rules unlike on a promiscuous mode device. ...
      (Focus-IDS)
    • RE: amount of alarms generated by IDS
      ... An inline IDS is one that sits inline, ... The reason why there are two separate terms..."inline IDS" and "IPS"...is ... You're talking about inline IDS and IPS. ... >> shouldn't be dropping packets. ...
      (Focus-IDS)