IDS mailing list archives
Re: Network hardware IPS
From: Ravi Kumar <ravivsn () roc co in>
Date: Tue, 30 Sep 2003 10:24:57 +0530
Hi Alvin, Setting up a complete security with all the currently available tools IMHO,the set up can look like this INTERNET------- Security Gateway device -----CORPORATE network Security gateway device should have - A stateful pakcet inspection Firewall - content filtering and Antivirus- and above all Inline IPS. I stress it should be working in hand with firewall
Deploying IDS can only alert you about incoming attacks and by the time we react the damage is happened. To get good understanding of the entire traffic coming from Internet, the correct tap point is the gateway of the network. Not to miss a single packet we need to process packets inline That suggests us for a Inline IDS.Even though security is not completely achieved.After we identify the attacks the correct mechanism could be blocking them there itself.
Take the example of snort_inline. -Takes the packets from iptables - uses snort to detect and - blocks the connection by sending TCP resets.snort_inline uses libipq to queue the packets to user space. I agree that moving packets from user space and back to kernel space consumes lots of processing time. The solution could be
- Inline IPS that works in the Kernel spaceLots of Inline IDS tools that are available to public works in user space. Hogwash, snort_inline etc takes the packets to user space for processing. Hogwash differs from the snort_inline in the way it takes packets to user space. It also uses the same snort engine for processing.
If any differ please point out, Iptables and snort_inline may not be a complete solution. As I said earlier,
the box requires more than IPtables. Regards, Ravi At 04:30 PM 9/29/03 +0800, Alvin Wong wrote:
Hi, I'm interested to find out if anyone can share their experiences or recommend a network hardware IPS that is deployed in front of the gateway which is able to detect attack signatures and at the same time, actively blocking out these attacks, alerting me in the process. This would be different from a passive IDS which depends on correlating the logs every time an alert pops up. An ideal solution would be to be able to detect the patterns and prevent them automatically, can a network IPS do this? I understand that it is possible in some IDS to do a TCP reset after one had confirmed that the connection is not acceptable, can anyone explain whether an IDS that can do this be actually "active" as opposed to passive? It would also be interesting if there could be some amount of trend analysis built in which can review the destination/source ip traffic over time, which can be used to identify particular boxes which are easily targeted, which would mean that more work needs to be done for that box. Regards, Alvin --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
The Views Presented in this mail are completely mine. The company is not responsible for what so ever.
---------- Ravi Kumar CH Rendezvous On Chip (I) Pvt Ltd Hyderabad, INDIA ROC HOME PAGE: http://www.roc.co.in --------------------------------------------------------------------------- Captus Networks IPS 4000Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance PoliciesFREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Current thread:
- Network hardware IPS Alvin Wong (Sep 29)
- RE: Network hardware IPS Alan Shimel (Sep 29)
- Re: Network hardware IPS Andy Cuff [Talisker] (Sep 29)
- Re: Network hardware IPS nick black (Sep 30)
- Re: Network hardware IPS Ravi Kumar (Sep 30)
- <Possible follow-ups>
- RE: Network hardware IPS JAVIER OTERO (Sep 29)
- Message not available
- Network hardware IPS Alvin Wong (Sep 30)
- Re: Network hardware IPS Cory Stoker (Sep 30)
- Message not available
- RE: Network hardware IPS JAVIER OTERO (Sep 30)
- RE: Network hardware IPS travis . alexander (Sep 30)
- RE: Network hardware IPS JAVIER OTERO (Sep 30)
- RE: Network hardware IPS Nimesh Vakharia (Sep 30)
- RE: Network hardware IPS Bob Walder (Sep 30)