Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

RE: IPS Futures
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 22 Jul 2004 14:51:13 -0400
Actually, that isn't exactly what a typical IPS is these days.  For example,
by the time a single-packet attack (even if that one packet is TCP and goes
after the handshake) takes place, it's too late to lock down the firewall.
A snort-based IPS would be like what the honeynet project's gen II honeynets
used: snort-inline with hogwash to mangle attacks so they wouldn't work.
The idea isn't to respond to the attack, but rather to actively prevent the
attack from working in the first place, either by not passing it or by
altering it.



-----Original Message-----
From: M Shirk [mailto:shirkdog_linux () hotmail com] 
Sent: Wednesday, July 21, 2004 7:29 AM
To: focus-ids () securityfocus com
Subject: RE: IPS Futures


Basically I you can run an IPS with snort-inline with iptables.

This is great, because I am in control, but what I 
experienced in the real 
CLIENT world is a whole different story. Some of the 
implementations of IDS 
solutions were terrible. I could not trust the same clients 
to actually 
setup the IPS correctly. There is too much of a margin of error.

However, if this is within your own company, it is the way to 
go. IPS is a 
better solution than IDS alone. My paranoia is the real world 
of terrible 
implementation. Example would be a spoofed router for their internet 
connection banging the firewall and the IPS shutsdown all 
trafiic, and the 
Internet connection the company used to have :-)

I would be interested if anyone is a Managaed Service Securty 
Provider and 
has had good luck with installation at remote client sites.

Shirkdog




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]