RE: Hi, I want to study IPS

From: Shafi, Shahid (sshafi_at_qualcomm.com)
Date: 05/25/04

  • Next message: Thiago dos Santos Guzella: "Suggestions"
    Date: Tue, 25 May 2004 12:52:00 -0700
    To: "Greg Martin" <greg@ddos.com>, "Raistlin" <raistlin@gioco.net>
    
    

    Anbody dealing with Mazu Networks Profiler? Its not in IPS category yet
    only NIDS, but they are planning to explore that area soon?

    Thanks,
    Shahid

    -----Original Message-----
    From: Greg Martin [mailto:greg@ddos.com]
    Sent: Sunday, May 23, 2004 11:33 AM
    To: Raistlin
    Cc: focus-ids@securityfocus.com
    Subject: Re: Hi, I want to study IPS

    Stefano "Raistlin" Zanero,

    > > Some vendors use a baseline of the network and take
    >> action if the baseline changes drasticly.
    >
    > Examples ?

    Arbor, Riverhead, Netzentry

    >
    >> Some use a 'negative
    >> space' technique which allows only valid traffic and considers all
    >> other traffic as a dos and drops it completely.
    >entitled
    > Again, examples ?

    Melior iSecure, Toplayer Attack Mitigator

    And here is a real world example of how the an IPS is working to protect
    Spamhaus the biggest spammer blacklist.

    http://www.spamhaus.org/cyberattacks/index.html

    > IMHO IPS are nothing more than an integration of a firewall and an IDS

    > concept. As such, they are rather fuzzy and vaporwar-ish enough to be
    > very marketable.

    Everyone is entitlted to their opinion... I think confusion everyone is
    having stems from marketing people pushing IPS hard at its baby stages
    when the technology WAS more or less 'advance firewall' features or
    firewalls with integrated IDS. Several years have past since
    whitepapers where published denying the value of IPS products and if you
    look at what is currently on the market you can clearly tell there is a
    big difference in performance and functionality.

    Also firewall vendors attempt to code to add IPS features to their
    current product with varying success. ie. Cisco PIX syn intercept and
    Checkpoints syn defender. Both will kill over after a moderate stream of
    random spoofed packets fill up its state tables.

    Ask any large company that constantly gets hit by dDoS attacks, IPS has
    arrived and it has value.

    regards,
    Greg

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Thiago dos Santos Guzella: "Suggestions"