RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

From: Frank Knobbe <frank(at)knobbe.us>
Date: Fri Aug 22 2003 - 11:14:39 EDT

On Fri, 2003-08-22 at 08:35, Bob Walder wrote:
> My 0.02 worth is that a Network IPS (NIPS) is a device with two

Yup, I go with that. I actually like to refer to Snortsam as an Intrusion Reaction System, but IRS seems to have a negative ring to it :) How about Intrusion Containment Systems? ICS? Yeah, that's it.

However, my arm has been twisted to call it an IPS. Yes, it doesn't prevent the first packet from intruding (say a packet to tcp/135), but once detected, it will prevent further communication with the intruder, thus preventing him from doing further damage (i.e. shell commands). Depending on the signature you could also contain the target. Where Snortsam shines is the ability to contain that source/target on all you firewalls. So if a server in the DMZ gets infected with Blaster, you could have Snortsam reconfigure your DMZ firewall. If a laptop of a vendor is detected spitting out Blaster, you could have all your firewalls be configured to isolate that laptop from the rest of your enterprise.

Snortsam lacks the store'n'forward approach of the normal IPS's (as you just defined). But those are only single enforcement points. Snortsam can interact with multiple enforcement points. (i.e. if someone attempts an exploit on a server in London, you could have him blocked on your firewalls in London, New York, L.A., Madrid, Tokyo, etc).

Anyhow, just wanted to say that your definition of an IPS was right on.

Cheers,
Frank

---

This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-develReceived on Fri Aug 22 11:23:45 2003