On Wed, 28 Sep 2005 11:48:06 +0200, Peer Janssen said: > Really? Is there no software package capable of withholding inspected > packages until cleared by said IDS? All depends on the inbound packet rate, how fast the IDS is, and how much RAM you're willing to buy. Just remember that a sufficiently long queue is in itself a denial of service... ;) > Dropping packets, closing ports and resetting connections (besides > logging, maybe notifying users) look like natural useful reactions to > the detections deliverad of an IDS to me. Just remember to configure the thing sensibly - it's amazing how many people manage to shoot themselves in the foot, and find out the hard way that yes, Virginia, there ARE people out there that will forge packets with the source IP address of the victim's nameserver... ;) > Or are we just talking about definitions (regarding the "D" in IDS), > instead of talking about IDPS-ses which the OP clearly seems to imply? > (P for prevention) It's *very* important to talk about definitions - there's waaay too many people who buy an IDS and think that by hooking it to the net, it magically becomes an IPS. An equally great number buy some IPS or other, and find out the hard way that they don't block a 0-day or a new worm..... > So what are the IDPS-ses you recommend? I recommend buying one that you're able to get your brain wrapped around what the unit *can* and *cannot* do for you. A less functional unit that you understand fully is a better choice than a top-of-the-line whizz-bang-3000 that you have no clue about its actual abilities. Quite frankly, anybody who already has a PIX installed and wants to install an IPS needs to quantify *exactly* what protection the PIX is failing to provide before they go shopping for anything.
Attachment:
pgpjUmxP9soSH.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/