RE: NIPS Vendors explicit answer

From: Kohlenberg, Toby (toby.kohlenberg_at_intel.com)
Date: 04/08/04

  • Next message: Kip Sr.: "Sourcefire IDS?" 
    Date: Thu, 8 Apr 2004 11:55:11 -0700
To: "christian graf" <chr.graf@gmx.de>, "focus-ids" <focus-ids@securityfocus.com>

    I'm interested in hearing the responses to this as well but wanted
    to point out one issue in your initial paragraph. See inline comments.

    toby

    >-----Original Message-----
    >From: christian graf [mailto:chr.graf@gmx.de]
    >Sent: Wednesday, April 07, 2004 7:07 AM
    >To: focus-ids
    >Subject: NIPS Vendors explicit answer
    >
    >Hi all,
    >
    >there are many "imaginable" ways for a NIPS to detect traffic, which
    >should be blocked. Patternbased, data-mining-methods (to even
    >guess into
    >encrypted traffic - see http://www.phrack.org/show.php?p=61&a=9 ,
    >RFC-anomaly, protocol-based anolmaly (layer 4 flows, new listening
    >services, new protocols,..), statistical methods, ... Those
    >methods will
    >most-likely combined with neuronal-networks, back-propagation-networks,
    >state-machines and at least with some voodoo called heuristic.

    Actually, this is one of the key issues for something that is claiming
    to do "intrusion prevention" and not just doing inline IDS. To do
    "intrusion prevention" via network traffic, you can't have decisions
    that are made after the connection is done. In fact for the most part
    the decisions must be made as quickly as possible. That removes
    data-mining
    as an option, it also potentially removes the more complex methods you
    mention like neural networks (though there are so many things that could
    mean
    that debating it doesn't do much good). Traffic analysis is equally
    problematic (especially if you want any sort of accuracy).

    toby

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Kip Sr.: "Sourcefire IDS?"

    Relevant Pages

    • Re: Changes in IDS Companies?
      ... I read a lot of messages which say putting an IDS inline would ... Intrusion Prevention solution more than an inline IDS. ... intrusion prevention system, something similar would be needed to ...
      (Focus-IDS)
    • Re: How to render a heading as two lines?
      ... where H1 through to H6 are defined as containing only inline content ... not block-level content such as paragraphs. ... Toby A Inkster BSc ARCS ...
      (alt.html)