IDS mailing list archives
Re: Network hardware IPS
From: nick black <dank () suburbanjihad net>
Date: Mon, 29 Sep 2003 21:07:46 +0000 (UTC)
In article <1064824236.3246.90.camel@localhost.localdomain>, Alvin Wong wrote:
I'm interested to find out if anyone can share their experiences or recommend a network hardware IPS that is deployed in front of the gateway which is able to detect attack signatures and at the same time, actively blocking out these attacks, alerting me in the process.
our product, the reflex interceptor, provides this functionality in its bridging mode of operation. packets can be filtered on an individual basis as a result of matching either signatures (policy is set per-signature) or our anomaly-detection systems (policy is set per-subsystem).
the logs every time an alert pops up. An ideal solution would be to be able to detect the patterns and prevent them automatically, can a network IPS do this?
yes, subject to the constraints of the pattern-describing language it employs.
I understand that it is possible in some IDS to do a TCP reset after one had confirmed that the connection is not acceptable, can anyone explain whether an IDS that can do this be actually "active" as opposed to passive?
we felt that this was insufficient as a total response; there's a race condition, for instance, when an attempt to exploit is detected: shall your reset get there before the original traffic? what does one do about non-tcp attacks? inline filtering overcomes these particular obstacles.
It would also be interesting if there could be some amount of trend analysis built in which can review the destination/source ip traffic over time, which can be used to identify particular boxes which are easily targeted, which would mean that more work needs to be done for that box.
our (and most other) products support reporting and database-like queries of history. i believe lancope's tool performs the automatic trend analysis you seem to want, but am not sure. -- nick black <dank () reflexsecurity com> "np: nondeterministic polynomial-time the class of dashed hopes and idle dreams." - the complexity zoo --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Network hardware IPS Alvin Wong (Sep 29)
- RE: Network hardware IPS Alan Shimel (Sep 29)
- Re: Network hardware IPS Andy Cuff [Talisker] (Sep 29)
- Re: Network hardware IPS nick black (Sep 30)
- Re: Network hardware IPS Ravi Kumar (Sep 30)
- <Possible follow-ups>
- RE: Network hardware IPS JAVIER OTERO (Sep 29)
- Message not available
- Network hardware IPS Alvin Wong (Sep 30)
- Re: Network hardware IPS Cory Stoker (Sep 30)
- Message not available
- RE: Network hardware IPS JAVIER OTERO (Sep 30)
- RE: Network hardware IPS travis . alexander (Sep 30)
- RE: Network hardware IPS JAVIER OTERO (Sep 30)
- RE: Network hardware IPS Nimesh Vakharia (Sep 30)
- RE: Network hardware IPS Bob Walder (Sep 30)