Full Disclosure mailing list archives
Re: Suggestion for IDS
From: Valdis.Kletnieks () vt edu
Date: Wed, 28 Sep 2005 06:09:22 -0400
On Wed, 28 Sep 2005 11:48:06 +0200, Peer Janssen said:
Really? Is there no software package capable of withholding inspected packages until cleared by said IDS?
All depends on the inbound packet rate, how fast the IDS is, and how much RAM you're willing to buy. Just remember that a sufficiently long queue is in itself a denial of service... ;)
Dropping packets, closing ports and resetting connections (besides logging, maybe notifying users) look like natural useful reactions to the detections deliverad of an IDS to me.
Just remember to configure the thing sensibly - it's amazing how many people manage to shoot themselves in the foot, and find out the hard way that yes, Virginia, there ARE people out there that will forge packets with the source IP address of the victim's nameserver... ;)
Or are we just talking about definitions (regarding the "D" in IDS), instead of talking about IDPS-ses which the OP clearly seems to imply? (P for prevention)
It's *very* important to talk about definitions - there's waaay too many people who buy an IDS and think that by hooking it to the net, it magically becomes an IPS. An equally great number buy some IPS or other, and find out the hard way that they don't block a 0-day or a new worm.....
So what are the IDPS-ses you recommend?
I recommend buying one that you're able to get your brain wrapped around what the unit *can* and *cannot* do for you. A less functional unit that you understand fully is a better choice than a top-of-the-line whizz-bang-3000 that you have no clue about its actual abilities. Quite frankly, anybody who already has a PIX installed and wants to install an IPS needs to quantify *exactly* what protection the PIX is failing to provide before they go shopping for anything.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Suggestion for IDS Fajar Edisya Putera (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Peer Janssen (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Joel Esler (Sep 28)
- Re: Suggestion for IDS Peer Janssen (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Reto Inversini (Sep 28)
- RE: Suggestion for IDS Randall M (Sep 29)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Lew Wolfgang (Sep 28)
- IDS features (was: Suggestion for IDS) Alejandro Barrera (Sep 28)
- Re: IDS features (was: Suggestion for IDS) Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)