Re: stateful vs stateless

• Previous message: Leandro Reox: "RE: ISS Siteprotector as syslog server?"
• In reply to: Jochen Vogel: "stateful vs stateless"
• Next in thread: gaurav_jindal_at_da-iict.org: "query regarding snort customization"
• Reply: gaurav_jindal_at_da-iict.org: "query regarding snort customization"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 22 Nov 2004 08:43:24 +0800
To: Jochen Vogel <jvogel@it-sec.de>

Hi Jochen, let me expand your question a bit to make it clearer.

On Fri, 19 Nov 2004 12:35:51 +0100, Jochen Vogel <jvogel@it-sec.de> wrote:
> hi,
>
> -what are doing the stateful and stateless doing exactly in an IPS?
> -what are the differences?
> -how is the behaviour in an high availabilty environment?
>

1. How exactly the stateful and stateless doing in an IPS?

Depend on the location of the IPS.
If the IPS is behind a stateful firewall, then not much differences.
If the IPS is not behind any firewall or merely protected by stateless
firewall, then: -
- Stateful feature helps to reduce false alarm.
- Stateful feature helps to speed up the detection process

2. What are the differences between stateful and stateless in an IPS?

Both the stateful and stateless are happened at the detection process,
not at the protection/prevention process. Their differences should be
very clear.
Stateless detection might contain higher rate of false alarm.

3. How should them behave in an HA environment?

I haven't experienced any IPS in a HA network.
And I will let other expert to answer this better.
Anyway, I think the IPS should assume everything are stateless.

-- 
Jet
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

• Previous message: Leandro Reox: "RE: ISS Siteprotector as syslog server?"
• In reply to: Jochen Vogel: "stateful vs stateless"
• Next in thread: gaurav_jindal_at_da-iict.org: "query regarding snort customization"
• Reply: gaurav_jindal_at_da-iict.org: "query regarding snort customization"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ZoneAlarm Pro, Sygate Personal Firewall, or built in xp firewall? ... A stateless firewall can only drop a packet per info in that single packet. ... A stateful firewall maintains a connection state table and can use ... A stateless f/w cannot drop the packet because it cannot verify if it is ... (microsoft.public.windowsxp.general) Re: Free PHP 1 to 1 chat program ... Never heard of stateful/stateless programminmg language dichotomy. ... Also I still cannot understand, if http is stateless, how a stateful ... > environment on each request. ... (comp.lang.php) Re: Is there a specific term for agents that have memory? ... The terminology often used is "stateful" for those that have and ... "stateless" for those that don't. ... This answer presumes that you mean ... (comp.ai) stateful vs stateless ... -what are doing the stateful and stateless doing exactly in an IPS? ... -how is the behaviour in an high availabilty environment? ... thx for infos ... (Focus-IDS)