RE: Top IPS vendors - please read for invitation to Network World review.

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Scott Wimer [mailto:scottw () cylant com] 
> Sent: Tuesday, September 02, 2003 10:06 AM
> To: Daniel Cid
> Cc: Schmehl, Paul L; focus-ids () securityfocus com
> Subject: Re: Top IPS vendors - please read for invitation to 
> Network World review.
> >
> Daniel Cid wrote:
> > Portsentry can block an ip address using the route
> > command (route reject) in  machines that doesnt have a firewall.
>
> Forgive me for being callous, but this methodology is just asking for 
> problems.  If somebody portscans you from a spoofed address: say your 
> DNS server's IP maybe, then you now have some interesting problems.
>
> This is using a broadsword where a scalpel is called for. Scottwimer

Not really.  Portsentry has the ability to ignore certain hosts, and any
sensible setup of Portsentry would include localhost, your hostname and
your DNS server in the .ignore file.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------