Focus on IDS
Excluding the bulk of UDP from IPS processing - What's the impact? Aug 26 2009 12:16PM
Bikram Gupta (bikramkgupta gmail com) (2 replies)
RE: Excluding the bulk of UDP from IPS processing - What's the impact? Aug 26 2009 08:06PM
Addepalli Srini-B22160 (saddepalli freescale com) (1 replies)
I imagine that you want to reduce the load on IPS.

If you are looking to protect any UDP Servers such as IKE, NFS, SIP,
L2TP etc.., it is typically expected that IPS inspects the traffic of
UDP sessions that were initiated by un-trusted machines. Since many IPS
devices are stateful in nature, it is necessary to send packets from
both client-to-server and server-to-client of these sessions to IPS
devices. That is, I don't think sending the Out-to-in traffic alone is
not good enough due to statefulness of IPS devices. If IPS device is
inline with the firewall, then I guess it is not a problem as it gets
hold of all packets anyway. But, if it offline IPS device, then firewall
should have intelligence to pass traffic of these sessions to IPS
device.

Thanks
Srini

+++++++++++++++++++++++++++++++
Srinivasa Rao Addepalli
Chief Software Architect
Software Products Division
Freescale Semiconductor Inc.

Ph: 408-904-2761
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Bikram Gupta
Sent: Wednesday, August 26, 2009 5:17 AM
To: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Excluding the bulk of UDP from IPS processing - What's the
impact?

Scenario: Perimeter IPS deployment, with Stateful firewall at the egress
point.

Traffic from out to in: Firewall will block all unsolicited UDP ports.
For the UDP ports where traffic is allowed (RTP data etc) through
firewall, do I have to pass it though IPS engine? Will there be cases
of exploits in such cases? Some examples please.

Traffic from in to out: I believe IPS processing for UDP flows must be
enabled here.. to detect some of the p2p, IM, skype, trojan etc
traffic.

I am trying to understand the impact, if I bypass the UDP flows from
IPS device? Can this be done realistically for some UDP traffic
(in->out, out->in), or NONE?

Thanks a lot.

Bikram

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you
can securely collect sensitive information online, and increase business
by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a

17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: Excluding the bulk of UDP from IPS processing - What's the impact? Aug 27 2009 11:26AM
Bikram Gupta (bikramkgupta gmail com) (1 replies)
RE: Excluding the bulk of UDP from IPS processing - What's the impact? Aug 28 2009 05:42PM
Addepalli Srini-B22160 (saddepalli freescale com)
Re: Excluding the bulk of UDP from IPS processing - What's the impact? Aug 26 2009 07:18PM
Jamie Riden (jamie riden gmail com) (1 replies)
Re: Excluding the bulk of UDP from IPS processing - What's the impact? Aug 26 2009 09:39PM
Joel Jaeggli (joelja bogus com)


 

Privacy Statement
Copyright 2010, SecurityFocus