I wanted to know your feelings on prevention vs detection. It seems like both have there strengths and weaknesses what offers the best trade off?
posted by:
|
Seattle
|
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 2:58 AMIt's gartner bulshit. :)
There is no PREVENTION. Call it Intrusion REACTION to be more precise...
This is actually dangerous... because it can lead to denial of service attacks. Do something that triggers the intrusion reaction system and it decides to shut down the network... :)
Gilles. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 9:47 AMYeah, I was wondering about that. Some marketing guy at 3 com told me their device fails open, it freaks me out a little bit when you think about the 3 com IPS uses AI to detect annomolies. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 11:32 AMThey "fail open" when the device can't keep up with the inspection of the traffic it's passing - it just stops blocking stuff under high traffic load. So if you find an attack blocked by an IPS, just be sure to combine it with a DDoS and you should be set.
IPSes are *occasionally* useful. But their limited usefulness should be weighed against the possibility of DoSing yourself and the risk of introducing another point of failure into your network. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 12:14 PMWhat about these guys www.trustednetworktech.com/iden...w.htm they seem to make a pretty cool network appliance. It seems like a ton of work to install all of the drivers but it uses the window field in TCP headers to insert encrypted identity data. I don't know how you would be able to install the drivers on switches and copier machines on a network but it looks like it might be a better alternative to strengthen a network. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 12:23 PMI will never use any ampliance.. I like to build my own things and read the source code before I install it. if is not open source forget about it..
I am not running it on any critical device. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 12:40 PM< like to build my own things and read the source code before I install it>
Do you really read the source code on everything you install? -
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 8, 2005 - 12:58 PMIndeed I get paid for it.
-
-
-
-
-
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 22, 2005 - 10:17 PMI think it depends - I hope nobody's using intrusion reaction, if you will, as a replacement for keeping systems patched and other good security patches, but there isn't a technical fix in the world right now that can keep every single [laptop] user from bringing malware into your network.
So call it EXtrusion reaction. Ideally it'd clamp down on the switch port of any system that's spewing nasties onto the network.
-
-
Re: Intrusion Prevention vs. Intrusion Detection
Sun, November 20, 2005 - 1:03 PMI run a small network (about 50 nodes) with an open-source based IDS/IPS just inside of the NAT/Firewall. Mainly I use it for detecting malware that people have brought into the network on their laptops. I hate laptops. The only prevention it does is to cut off connections on overtly and obvious dangerous stuff like in backdoors.rules. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Mon, November 21, 2005 - 12:39 AMHi Alex which one you use snort? -
-
Re: Intrusion Prevention vs. Intrusion Detection
Mon, November 21, 2005 - 3:01 PMI think we all use snort, whether it's normal snort or some hacked snort-in-a-box. I'd wager that snort and snort hacks are now as ubiquitous in the IDS field as spamassassin is in email filtering. You may have bought some appliance and not know what's in it, but... -
-
Re: Intrusion Prevention vs. Intrusion Detection
Mon, November 21, 2005 - 3:36 PMI agree, I think snort is the best.
I myself have wrote some small modules for it that we use here.
-
-
Re: Intrusion Prevention vs. Intrusion Detection
Tue, November 22, 2005 - 10:12 PMYeah, just vanilla snort on an openbsd box. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Wed, November 23, 2005 - 11:52 PMany of you have experience with ACL's on a cisco router?
I need to disable all netbios traffic but to/from one host.(The only one allow)
Thanks. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Sat, November 26, 2005 - 12:11 PMWarning: the last time I worked with router ACLs was back when they were made of bronze and used a waterwheel for power. That said...
Wouldn't the normal way to do that be to allow all netbios traffic to the one server, allow all netbios traffic from the one server, and then to deny all netbios traffic? I'm incredibly rusty and just taking a guess here, but most routers will go down their rules list and obey the first thing that matches, and if nothing matches it falls through to the default (DENY ALL in this case). -
-
Re: Intrusion Prevention vs. Intrusion Detection
Sun, November 27, 2005 - 10:46 AMyes I remember that, just looking for input on the topic see if someone comes with simpler way.. Thanks. -
-
Re: Intrusion Prevention vs. Intrusion Detection
Wed, February 1, 2006 - 8:30 PMYes, I'm familiar with Cisco ACL's (it's a large part of what I do at work, in fact). The previous reply was correct - ACL's are processed top down and stop at the first match, so you have to put more specific rules before more general rules. Also, there's an implicit "deny any any" at the end of all ACL's, so you don't need to put your own deny at the end if you don't want to (though some people like to for a variety of reasons).
Back to the main topic of the thread, I always thought the name "Intrusion Prevention" was a little odd anyway, since that's what I always though firewalls were supposed to do. I'm generally not the biggest fan of IPS/IDS boxes, but see more value in well placed and monitored IDS than I do in IPS. Just my $.02.
HTH
-
-
-
-
-
-
