| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200509281009.j8SA9NRL030834@turing-police.cc.vt.edu> Date: Wed Sep 28 11:09:37 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Suggestion for IDS On Wed, 28 Sep 2005 11:48:06 +0200, Peer Janssen said: > Really? Is there no software package capable of withholding inspected > packages until cleared by said IDS? All depends on the inbound packet rate, how fast the IDS is, and how much RAM you're willing to buy. Just remember that a sufficiently long queue is in itself a denial of service... ;) > Dropping packets, closing ports and resetting connections (besides > logging, maybe notifying users) look like natural useful reactions to > the detections deliverad of an IDS to me. Just remember to configure the thing sensibly - it's amazing how many people manage to shoot themselves in the foot, and find out the hard way that yes, Virginia, there ARE people out there that will forge packets with the source IP address of the victim's nameserver... ;) > Or are we just talking about definitions (regarding the "D" in IDS), > instead of talking about IDPS-ses which the OP clearly seems to imply? > (P for prevention) It's *very* important to talk about definitions - there's waaay too many people who buy an IDS and think that by hooking it to the net, it magically becomes an IPS. An equally great number buy some IPS or other, and find out the hard way that they don't block a 0-day or a new worm..... > So what are the IDPS-ses you recommend? I recommend buying one that you're able to get your brain wrapped around what the unit *can* and *cannot* do for you. A less functional unit that you understand fully is a better choice than a top-of-the-line whizz-bang-3000 that you have no clue about its actual abilities. Quite frankly, anybody who already has a PIX installed and wants to install an IPS needs to quantify *exactly* what protection the PIX is failing to provide before they go shopping for anything. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050928/a5bad744/attachment.bin
Powered by blists - more mailing lists