Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS requirement

from [SecurIT Informatique Inc.] Network Security [Permanent Link]
Subject: RE: IDS requirement
Date: Fri, 03 Dec 2004 01:22:53 -0500
I agree with Nelson, in the fact that for most people, the term IPS means only one type of technology. The "IDS is dead" Gartner report surely didn't help at correcting this situation.

I would only add that the IPS system (either NIPS or HIPS) will only be as good as the underlying IDS engine under it (either built-in or third-party). Most network-based systems work on the "known vulnerabilities" principles, meaning that this kind of systems usually performs poorly against 0-day exploits. A system based on "known secure state" of your machines, or "white list" seems more promising against unknown vulnerabilities. And by design, HI(D|P)S are more appropriate for this approach that NI(D|P)S.

Ideally, I think that both methods should be used, if just for the sake of security in layers.

My 2 cents.

Floydman

At 03:03 PM 01/12/2004, Brito, Nelson (ISS Brazil) wrote: 
I disagree, because the IPS concept is misunderstood for almost
everybody.

IPS, as you said, is Intrusion Prevention (some people says Protection)
System.

IMHO, IPS is something between the source of attack and the target,
blocking or stopping the attack in real time, without interaction (or
any kind of re-configuration) with other device / application.

The IPS, by default, uses its own engine to do that, which means that
IPS does not need to re-configure nor Firewalls neither Routers to block
or stop a threat, even because IPS is not just a technology to use
protecting network segments. It is a concept, as I said bellow, between
the source of attack and the target. It can be a HIPS, stopping the
attack before it reaches the target (OS).

So, briefly, IPS can be:
1 - A network engine to stop attacks before they reach the target
systems, a device in other words;
2 - An engine installed on a machine which stops the attacks before they
reach the machine, an engine working in Kernel space or even in a lowest
level.

Sorry my broken English, it is not my main Language, by the way.

Cheers.

- nb

{(!($^O=~/^[M]*$32/i)&&($0=~s!^.*/!!))||($0=~s!.*\\!!)}print$0;



-----Original Message-----
From: Jimi Thompson [mailto:jimi.thompson@gmail.com]
Sent: Wednesday, December 01, 2004 2:35 AM
To: skill2die4@secguru.com
Cc: Raj B; focus-ids@securityfocus.com
Subject: Re: IDS requirement


I realize that I'm a bit late here, but it's been a holiday.  We had a
similar discussion on the SNORT mailing list recently and I'll distill
it down for you.  The general concensus is that IPS is mostly marketing
hype.  Unless you are doing something to identify an attack in progress
in real time and actively doing something (i.e. modifying a firewall
rule or routing table) to stop that attack, you are not an IPS, because
you are not, by definition, preventing anything.

IDS = intrusion detection system

IPS = intrusion prevention system

HTH,

Jimi


On Mon, 22 Nov 2004 15:28:28 -0600 (CST), skill2die4@secguru.com
<skill2die4@secguru.com> wrote:
>
> >
> > Can anyone email me a document on how IDS/IPS actually
> > works.....with the terminology well explained.
> >
>
> IMHO, articles of your interest would be :
>
> FAQ's
> ============
> [FAQ] Sniffing (network wiretap, sniffer)
> [FAQ] IDS
>
> Terminology
> =============
> [AndyCuff] Intrusion Detection Terminology
> [A.Cliff] Intrusion Detection Systems Terminology
>
> Basic Papers
> ===============
> [SecurityFocus] An Introduction to Intrusion Detection Systems
> [SecurityFocus] Network Intrusion Detection Signatures [SecurityFocus]

> Intrusion Detection: Filling in the Gaps [Cisco] Intrusion Detection
> Planning Guide
>
> links to all the above is availabe at,
>
> http://www.secguru.com/index.php/content/category/6/145/115/
> [ www.secguru.com -> Network Devices -> IDS ]
>
> Also , visit Andy Cuff's site : http://www.networkintrusion.co.uk/
> for much info ... :-)
>
> HTH,
>
> -=skillz=-


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort implementation question?, Thomas Ptacek
Next by Date:  Re: CiscoWorks - VMS - IDS Monitoring and Alerting, Alexis Caurette
Previous by Thread:  RE: IDS requirement, Brito, Nelson (ISS Brazil)
Next by Thread:  IPS Blocking Spyware?, Ron
Indexes:  [Date] [Thread] [Top] [All Lists]