Focus on IDS
IDS causing troubles Feb 01 2011 09:53AM
Shang Tsung (shangtsung71 gmail com) (9 replies)
Re: IDS causing troubles Feb 03 2011 10:32AM
Udo Sprotte (Udo Sprotte t-online de)
Re: IDS causing troubles Feb 02 2011 10:59PM
Paul Palmer (b paul palmer gmail com)
RE: IDS causing troubles Feb 02 2011 06:33AM
alex cc technion ac il
RE: IDS causing troubles Feb 02 2011 04:06AM
Alex Nepolian cognizant com
Re: IDS causing troubles Feb 02 2011 12:04AM
Antônio Arruda Neto (anetoarruda gmail com)
Re: IDS causing troubles Feb 01 2011 09:41PM
Jeff Ames (jeffames nemesissolutions co uk)
Re: IDS causing troubles Feb 01 2011 08:50PM
Shwetabh Sharma (shwetabhsharma gmail com) (1 replies)
RE: IDS causing troubles Feb 04 2011 06:35AM
IT_H_Security (IT_H_Security MahindraSatyamBPO com)
Re: IDS causing troubles Feb 01 2011 08:48PM
JiPi DiNi (jipidini gmail com)
RE: IDS causing troubles Feb 01 2011 08:26PM
Andrew Plato (andrew plato anitian com) (1 replies)
Re: IDS causing troubles Feb 11 2011 07:41AM
Joel Jaeggli (joelja bogus com) (2 replies)
RE: IDS causing troubles Feb 12 2011 06:39PM
Bob-Buel (bob buel org) (1 replies)
SV: IDS causing troubles Feb 15 2011 07:39AM
Anders Petrén (anders certezza net)
RE: IDS causing troubles Feb 11 2011 06:23PM
Matthew Fitzgerald (matthew fitzgerald cae com) (2 replies)
Re: IDS causing troubles Feb 14 2011 05:21PM
Curt Purdy (infosysec gmail com)
Re: IDS causing troubles Feb 11 2011 07:14PM
Joel Jaeggli (joelja bogus com) (2 replies)
Re: IDS causing troubles Feb 15 2011 03:23PM
Joel Esler (joel esler me com) (1 replies)
On Feb 11, 2011, at 2:14 PM, Joel Jaeggli wrote:

> On 2/11/11 10:23 AM, Matthew Fitzgerald wrote:
>> Joel, its inline because prevention requires intervention.
>
> It doesn't actually require that, plenty of ips systems can do their job
> with a tap and another port for injection.

I personally don't refer to that kind of a device as an IPS. I refer to that as a "reactionary IDS". For instance, if the goal is to send a RST packet back to the SRC IP that caused the IDS to alert, then the RST packet has to beat the /actual/ ACK packet from the true DST IP back to the machine. This is essentially, for lack of a better term, a "race". This does not control traffic. Plus, it gives away the hop location of your IDS within the network to the attacker. I think if you are going to try and control traffic the much preferred method of doing so is an IPS. Traffic goes in one port, and it exits the other port. While the traffic is inside the machine, the IPS makes the decision if the traffic should exist the other port, or it shouldn't. That's a more controlling machine, thusly an IPS.

> the fact of the matter is if the ids can't keep up with the presented
> load that's going to be a problem whether it's inline or presented
> through a tap, in the later case however it's not going to cause an outage.

True points there. However, if you purchase an IPS that is correctly spec'ed for your network (i.e. not putting a 1Gig IPS on a 2Gig link) you should have little problem being able to handle the traffic. It's mostly a software/hardware problem.

If you get a big enough box that is appropriately sized to handle the traffic, you should be able to perform the IPS function properly. Although I've seen wide variances in this. I've seen a 2Gig box do 4Gig/second of traffic, and I've seen a 10Gig box do 2 Gig/second of traffic. Test.

--
Joel Esler
http://www.joelesler.net

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: IDS causing troubles Feb 18 2011 02:21PM
Curt Purdy (infosysec gmail com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:28PM
Joel Esler (joel esler me com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:49PM
Curt Purdy (infosysec gmail com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:51PM
Joel Esler (joel esler me com)
Re: IDS causing troubles Feb 14 2011 06:28PM
JiPi DiNi (jipidini gmail com) (1 replies)
Re: IDS causing troubles Feb 15 2011 03:25PM
Joel Esler (joel esler me com) (2 replies)
Re: IDS causing troubles Feb 19 2011 03:47AM
Ichilov (zivi radware com)
RE: IDS causing troubles Feb 15 2011 04:08PM
Matthew Fitzgerald (matthew fitzgerald cae com)


 

Privacy Statement
Copyright 2010, SecurityFocus