Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Network hardware IPS

Re: Network hardware IPS

From: Alvin Wong <alvin.wong_at_b2b.com.my>
Date: 02 Oct 2003 11:34:29 +0800

Hi Ravi,

Thanks for sharing your opinions. Do you have a particular Inline IPS to
recommend or can share experiences with IPS?

Regards,
Alvin

On Tue, 2003-09-30 at 12:54, Ravi Kumar wrote:
> Hi Alvin,
> Setting up a complete security with all the currently available tools
> IMHO,the set up can look like this
>
> INTERNET------- Security Gateway device -----CORPORATE network
>
> Security gateway device should have
> - A stateful pakcet inspection Firewall
> - content filtering and Antivirus
> - and above all Inline IPS. I stress it should be working in
> hand with firewall
>
> Deploying IDS can only alert you about incoming attacks and by the time we
> react the damage is
> happened. To get good understanding of the entire traffic coming from
> Internet, the correct tap point is
> the gateway of the network. Not to miss a single packet we need
> to process packets inline
> That suggests us for a Inline IDS.Even though security is not completely
> achieved.After we identify the attacks the correct mechanism could be
> blocking them there itself.
>
> Take the example of snort_inline.
> -Takes the packets from iptables
> - uses snort to detect and
> - blocks the connection by sending TCP resets.
> snort_inline uses libipq to queue the packets to user space. I agree that
> moving packets from user space and back to kernel space consumes lots
> of processing time. The solution could be
>
> - Inline IPS that works in the Kernel space
> Lots of Inline IDS tools that are available to public works in user
> space. Hogwash, snort_inline etc takes the packets to user space for
> processing.
> Hogwash differs from the snort_inline in the way it takes packets to user
> space. It also uses the same snort engine for processing.
>
> If any differ please point out, Iptables and snort_inline may not be a
> complete solution. As I said earlier,
> the box requires more than IPtables.
>
>
> Regards,
> Ravi
>
>
>
>
> At 04:30 PM 9/29/03 +0800, Alvin Wong wrote:
> >Hi,
> >
> >I'm interested to find out if anyone can share their experiences or
> >recommend a network hardware IPS that is deployed in front of the
> >gateway which is able to detect attack signatures and at the same time,
> >actively blocking out these attacks, alerting me in the process.
> >
> >This would be different from a passive IDS which depends on correlating
> >the logs every time an alert pops up. An ideal solution would be to be
> >able to detect the patterns and prevent them automatically, can a
> >network IPS do this?
> >
> >I understand that it is possible in some IDS to do a TCP reset after one
> >had confirmed that the connection is not acceptable, can anyone explain
> >whether an IDS that can do this be actually "active" as opposed to
> >passive?
> >
> >It would also be interesting if there could be some amount of trend
> >analysis built in which can review the destination/source ip traffic
> >over time, which can be used to identify particular boxes which are
> >easily targeted, which would mean that more work needs to be done for
> >that box.
> >
> >Regards,
> >Alvin
> >
> >
> >
> >---------------------------------------------------------------------------
> >Captus Networks IPS 4000
> >Intrusion Prevention and Traffic Shaping Technology to:
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Automatically Control P2P, IM and Spam Traffic
> > - Precisely Define and Implement Network Security & Performance Policies
> >FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> >http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> >---------------------------------------------------------------------------
>
> The Views Presented in this mail are completely mine. The company is not
> responsible for what so ever.
>
> ----------
> Ravi Kumar CH
> Rendezvous On Chip (I) Pvt Ltd
> Hyderabad, INDIA
>
> ROC HOME PAGE:
> http://www.roc.co.in
>
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 02 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos