Re: IPS Comparison

From: Vic N (vic778@hotmail.com)
Date: Sat Dec 24 2005 - 21:47:55 EST

• Next message: neal wise: "Re: 3rd party vuln assesment firms"
• Previous message: DokFLeed: "IRAX 0.1 is on Freshmeat"
• In reply to: Chris Brenton: "Re: IPS Comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>
>Remember that an IPS is nothing more than a stateful inspection firewall
>that also tries to match malicious patterns in the payload. With this in
>mind, you are talking about being limited to detecting known attacks
>only. So if your IPS vendor can get you a sig (or you can write one
>yourself) faster than you can patch the vulnerability, there is value
>add to having an IPS. If not, well, you are doing little more than
>detecting and weeding out attacks that you are not vulnerable to
>anyways. IMHO there are cheaper ways of getting this warm fuzzy and
>feeling.
>
>There is an exception to this, which is another approach that is taken
>by some IPS vendors. This involves checking for indications of a
>successful attack. For example a packet headed out to the Internet that
>contains the string "C:\" could be considered suspicious and a possible
>indication that an attack has breached the perimeter. Nice thing about
>weeding these out is you have the potential to block 0-day because you
>are detecting on the actual problem rather than just a symptom.
>
Mazunetworks.com has a nice IPS that does not use a signature-based
approach. I've used their ddos solution before (enforcer) and have just
started an eval on their profiler IPS system that seems to have some very
nice capabilities.

One reason I decided to further evaluate this one is because of its ability
to give an extended view into internal network traffic, not just a "security
event". It incorporates Cisco's netflow protocol and its own sensors to
provide baseline reporting on standard and unusual traffic patterns.... So
it looks like it's going to give me a chance to detect other traffic
patterns on internal segments that might be undesirable, like p2p or unusual
IM traffic.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: neal wise: "Re: 3rd party vuln assesment firms"
• Previous message: DokFLeed: "IRAX 0.1 is on Freshmeat"
• In reply to: Chris Brenton: "Re: IPS Comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:17 EDT