Re: Network hardware IPS

[Ravi Kumar <ravivsn () roc co in>]

Hi All,
Well, I want to comment a point on IPS and IDS over TCP resets.
I wish to bring out the  difference between IPS and IDS taking examples of 
snort_inline and snort over blocking connections.
Snort with flex response enabled will send TCP resets or ICMP error 
messages to block attack  related connections. And also its true that it 
may be unsuccessful in doing so. And some packets may creep  in.
But in case of IPS it drops such packets and will also send TCP resets. So 
there no chance for attack packets to go in.
so Alvin, you can go with snort_inline if freeware is desired.
Regards,
Ravi
At 11:25 AM 10/2/03 +0800, Alvin Wong wrote:
> Thanks for the information, Cory, that was really insightful.
>
> Regards,
> Alvin
>
> On Wed, 2003-10-01 at 00:52, Cory Stoker wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Alvin Wong wrote:
> >
> > <snip>
> >
> > |
> > |Also, my question to any is the following
> > |"One note of caution on TCP Reset is not a preferred method of blocking
> > |attacks according to some security experts. " Alan Shimel
> > |
> > |Why isn't TCP reset a preferred method of blocking?
> > |
> > |Regards,
> > |Alvin
> > |
> > <snip>
> >
> > Hi:
> >
> > The main reason that TCP resets are not a preferred method of blocking
> > is it is not Guaranteed to be successful.  I quote below:
> >
> > " In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill
> > the HTTP connection using the RST and/or ICMPs. In most of the cases
> > connection is reset and sometimes it remains running and the file (dummy
> > " cmd.exe" placed on Apache web server) is successfully downloaded. The
> > possible explanation is that RST arrives too late for the connection to
> > be reset since the response from server comes earlier with the right
> > sequence number. The delayed RST is then discarded. Thus RST/ICMP is not
> > a reliable security mechanism (exactly as claimed in the snort
> > documentation)." -- Anton Chuvakin, Ph.D.
> >
> > Also many attacks are too short for a TCP reset to be effective or the
> > attacker could change his IP stack to disregard the TCP reset.
> >
> > Thanks,
> > - --
> >
> > Cory Stoker
> > Security Engineer
> > Latis Networks, Inc.
> >
> > www.stillsecure.com
> > Reducing your risk has never been this easy
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/ebS7I1eg/VOfA8oRAgkgAJ0SYnU+qN7/VOWBSWEMabYY3LET1ACaAnbr
> > VAOjkGF7vl3cmy9wy0XrU4Y=
> > =ys9M
> > -----END PGP SIGNATURE-----
> >
> >
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------

The Views Presented in this mail are completely mine. The company is not 
responsible for what so ever.

----------
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA

ROC HOME PAGE:
http://www.roc.co.in



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------