IDS mailing list archives
RE: need your help about IPS and IDS,thanks
From: "Julius Detritus" <julius.detritus () ifrance com>
Date: Thu, 18 Nov 2004 11:06:57 +0100
Hi, We run a SOC with IPSes. They are a lot more feature available on IPSes than just blocking offending packets. First IPSes can provide bandwidth management: 1. If you get flooded with legitimate traffic (DDoS like attacks), you can isolate the attack on one type of traffic (let's say HTTP) while other applications' traffic remains unaffected. (It may be needed though to have it at your ISP POP) 2. You can enforce security policy by limiting some kind of traffic, such as P2P. 3. If some traffic looks suspicious (large volume of weird packets that can cause a DoS at high bandwidth), you can mitigate the attack without taking the risk of killing legitimate application traffic (it will just be slower) Second with an updated list of attack signatures you can get more time for patch management. I explain. Real IPSes are dedicated hardware designed to handle huge amount of traffic (multiple Gbps for the one we use here). It means that they can handle the load of internal networks. Then if the vendor provides like a "most recent" attack signatures group, your server (and even workstations) will remain safe for the time you patch them. It means more time to perform stability tests on servers and to have patches or anti-virus updates applied by users on their workstations. Third, as IPSes are inline, they can apply security mechanism in the place of the server you want to protect. As an example, SYNFloods can be successfully mitigated by the use of SYN Cookies. However not all OS support this feature and it would be very bad time to have it set on each and every server. And so on... It is true that IPSes are in the middle of a marketing storm where traditional firewall and IDS vendors try to protect their market shares. Also the snort-inline syndrome adds a lot of confusion. But snort-inline has been designed for Honeypots, not Corporate or Telco security. My 0.02$ Julius -----Message d'origine----- De : Andy Cuff [mailto:lists () securitywizardry com] Envoyé : mercredi 17 novembre 2004 07:39 À : 'Lily'; focus-ids () securityfocus com Objet : RE: need your help about IPS and IDS,thanks Lily, The main difference in my opinion is that IPS are inline and can therefore block more effectively and IDS aren't in line and monitor traffic on a segment or switch. Are you wondering about the difference between IPS/IDS and Attack Mitigation Systems? Regards -andy cuff The Talisker Network Security Portal http://securitywizardry.com Computer Network Defence Ltd -----Original Message----- From: Lily [mailto:xiaoche111 () hotmail com] Sent: 13 November 2004 14:53 To: focus-ids () securityfocus com Subject: need your help about IPS and IDS,thanks hi,all I have some questions to ask which must be simple to you I think. 1.IPS must build normal model while IDS can use the abnormal model(misuse detection)?If it is what's the difference between the IDS's anomaly detection and IPS? 2.Has someone formally use the data mining technology in the IPS? 3.Besides the DoS and buffer overflow etc,has any other way be used in IPS just like the users behaviour analysis? 4.Why someone said IPS can not log the trace of the attacks while IDS can do?I think IPS can do it easily.Maybe because IPS is in-line and log the trace needing many time? So depressed with the IDS/IPS and my thesis is flying in the sky:( Thank you in advance. Lily --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: need your help about IPS and IDS,thanks, (continued)
- RE: need your help about IPS and IDS,thanks Eric McCarty (Nov 16)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- RE: need your help about IPS and IDS,thanks Andy Cuff (Nov 18)
- RE: need your help about IPS and IDS,thanks Chris Petersen (Nov 19)
- RE: need your help about IPS and IDS,thanks Stuart Staniford (Nov 22)
- RE: need your help about IPS and IDS,thanks Omar Herrera (Nov 23)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- RE: need your help about IPS and IDS,thanks Eric McCarty (Nov 16)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- Message not available
- need your help about IPS and IDS,thanks Zhuowei Li (Nov 19)