Re: CISCOs new IPS

From: ADT (synfinatic_at_gmail.com)
Date: 01/07/05

  • Next message: Krystian Antoni: "Re: IDS CISCO alarm"
    Date: Thu, 6 Jan 2005 22:44:44 -0800
    To: Billy Dodson <billy@pmicromart.com>
    
    

    /me sigh

    Why do people continue to claim that firewall/router ACL shunning is
    an effective attack prevention mechanisim? So many attacks nowadays
    can be contained in a single packet which these "solutions" can't
    stop. Not to mention the obvious race condition which may allow
    subsequent packets to pass.

    Nobody would try to sell or be willing to buy a "firewall" which
    sniffs traffic and updates a router ACL, but yet this is somehow
    acceptable as a protection mechanisim for malicious traffic.

    WTF?

    -Aaron

    -- 
    http://synfin.net
    On Thu, 6 Jan 2005 14:18:10 -0600, Billy Dodson <billy@pmicromart.com> wrote:
    > The cisco IPS is not quite what I thought it was going to be.  The IPS
    > is intended for use at branch offices or remote users where you would
    > not normally spring for a fire-walling device.  The IPS is nothing more
    > then a IOS router with IOS firewall and the IDS engine.  The IPS is just
    > software that runs on a cisco router.  It can use around 740 signatures
    > from the cisco IDS to run its "prevention".  It basically turns your
    > router into a small IDS/firewall.  It will be able to create access
    > lists or shuns on the fly.  The same as a current cisco IDS works in
    > conjunction with an IOS router or PIX firewall.  This device is not
    > intended to be the first line of defense within the network.
    > 
    > The cisco IPS is not replacing the cisco IDS.  The cisco IDS is still a
    > good product and can be used as a prevention device when used in
    > conjunction with a router or firewall.  You can configure the sensor to
    > send commands to the router or firewall to Shun the connection or create
    > an access list on a router.
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Krystian Antoni: "Re: IDS CISCO alarm"