IDS: Re: Network hardware IPS

From: Ravi Kumar <ravivsn_at_roc.co.in>
Date: Thu, 02 Oct 2003 09:57:36 +0530

Dear Alvin,
If you agree snort is the best IDS ever then snort_inline is best InlineIPS.
I agree that some preprocessors are not yet modified according to the need
of Inline.

Regards,
Ravi

At 11:34 AM 10/2/03 +0800, Alvin Wong wrote:
>Hi Ravi,
>
>Thanks for sharing your opinions. Do you have a particular Inline IPS to
>recommend or can share experiences with IPS?
>
>Regards,
>Alvin
>
>On Tue, 2003-09-30 at 12:54, Ravi Kumar wrote:
> > Hi Alvin,
> > Setting up a complete security with all the currently available tools
> > IMHO,the set up can look like this
> >
> > INTERNET------- Security Gateway device -----CORPORATE network
> >
> > Security gateway device should have
> > - A stateful pakcet inspection Firewall
> > - content filtering and Antivirus
> > - and above all Inline IPS. I stress it should be working in
> > hand with firewall
> >
> > Deploying IDS can only alert you about incoming attacks and by the time we
> > react the damage is
> > happened. To get good understanding of the entire traffic coming from
> > Internet, the correct tap point is
> > the gateway of the network. Not to miss a single packet we need
> > to process packets inline
> > That suggests us for a Inline IDS.Even though security is not completely
> > achieved.After we identify the attacks the correct mechanism could be
> > blocking them there itself.
> >
> > Take the example of snort_inline.
> > -Takes the packets from iptables
> > - uses snort to detect and
> > - blocks the connection by sending TCP resets.
> > snort_inline uses libipq to queue the packets to user space. I agree that
> > moving packets from user space and back to kernel space consumes lots
> > of processing time. The solution could be
> >
> > - Inline IPS that works in the Kernel space
> > Lots of Inline IDS tools that are available to public works in user
> > space. Hogwash, snort_inline etc takes the packets to user space for
> > processing.
> > Hogwash differs from the snort_inline in the way it takes packets to user
> > space. It also uses the same snort engine for processing.
> >
> > If any differ please point out, Iptables and snort_inline may not be a
> > complete solution. As I said earlier,
> > the box requires more than IPtables.
> >
> >
> > Regards,
> > Ravi
> >
> >
> >
> >
> > At 04:30 PM 9/29/03 +0800, Alvin Wong wrote:
> > >Hi,
> > >
> > >I'm interested to find out if anyone can share their experiences or
> > >recommend a network hardware IPS that is deployed in front of the
> > >gateway which is able to detect attack signatures and at the same time,
> > >actively blocking out these attacks, alerting me in the process.
> > >
> > >This would be different from a passive IDS which depends on correlating
> > >the logs every time an alert pops up. An ideal solution would be to be
> > >able to detect the patterns and prevent them automatically, can a
> > >network IPS do this?
> > >
> > >I understand that it is possible in some IDS to do a TCP reset after one
> > >had confirmed that the connection is not acceptable, can anyone explain
> > >whether an IDS that can do this be actually "active" as opposed to
> > >passive?
> > >
> > >It would also be interesting if there could be some amount of trend
> > >analysis built in which can review the destination/source ip traffic
> > >over time, which can be used to identify particular boxes which are
> > >easily targeted, which would mean that more work needs to be done for
> > >that box.
> > >
> > >Regards,
> > >Alvin
> > >
> > >
> > >
> > >-----------------------------------------------------------------------
> ----
> > >Captus Networks IPS 4000
> > >Intrusion Prevention and Traffic Shaping Technology to:
> > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > > - Automatically Control P2P, IM and Spam Traffic
> > > - Precisely Define and Implement Network Security & Performance Policies
> > >FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > >http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > >-----------------------------------------------------------------------
> ----
> >
> > The Views Presented in this mail are completely mine. The company is not
> > responsible for what so ever.
> >
> > ----------
> > Ravi Kumar CH
> > Rendezvous On Chip (I) Pvt Ltd
> > Hyderabad, INDIA
> >
> > ROC HOME PAGE:
> > http://www.roc.co.in
> >
> >
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Automatically Control P2P, IM and Spam Traffic
> > - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >

The Views Presented in this mail are completely mine. The company is not
responsible for what so ever.

----------
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA

ROC HOME PAGE:
http://www.roc.co.in

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 02 2003