Which method/approach is better. From my understanding, the trends are towards Inrusion
Prevention System. What you guys think about?
One more..where can I get resource(esp tech. paper) on intrusion prevention.
adios
Printable View
Which method/approach is better. From my understanding, the trends are towards Inrusion
Prevention System. What you guys think about?
One more..where can I get resource(esp tech. paper) on intrusion prevention.
adios
IMO, if you have an IDS program on your box it goes hand in hand with intrusion prevention. With the IDS installed and properly configured, it should prevent intrusion.
I don't have a paper I can attach to this post but if you go to this address
you can find what your looking for ;) :
http://rr.sans.org/intrusion/intrusion_list.php
Remote_Access_
I agree with RemoteAccess Intrusion Detection and Intrusion Prevention are meant to complement each other. Together they form the basis of any good security policy.
I also have to agree with RA....
intrusion prevention can be a broad term..technically a firewall can be considered intrusion prevention right? The way I look at it is every piece of security you add to your network makes it harder for an attacker to get in....thus it is all intrusion prevention.
The real decision IMO is NIDS vs HIDS....but you can read my breakdown in the post in this forum located here:
http://www.antionline.com/showthread...hreadid=218737
I'll go with RA and iNViCTuS here. prevention is part of it.
I think that having one with out the other is pointless. Prevention is good but if you don't know someone is trying to hack into your system is only a matter of time before prevention fails you.
yes.....you guys are right..but what actually intrusion prevention system (IPS) does??
can someone provides me the definition of IPS...
below is my definition of IPS
"IPS are software specifically designed to recognize security weaknesses, prioritize the
vulnerabilities and help admins correct the situation. Some IPS report a vulnerability while
others prevent the vulnerability from being exploided."
This should sum things up about IDS. This definition was taken from webopedia.
Intrusion Detection System
Last modified: February 5, 2002
An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
There are several ways to categorize an IDS:
Misuse detection vs. Anomaly detection: In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
Network-based vs. Host-based systems: In a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host.
Passive system vs. Reactive system: In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.
IMO, intrusions and attacks can easily prevented if you've taken proper precautions. Don't download unknown e-mail attachments, suspicious file types, etc. Here's a paper on intrusion prevention. Hope this helps.. ;)
Remote_Access_
IDS = Intrusion Detection System... I emphasize DETECTION... NOT prevention. An IDS is going to let you know an intrusion took place (Past tense), if you had an IDS alert, and of that intrusion was sucessful, you'll already be screwed and your corporate ass was skinned already. Only by careful correlating with the logs (provided that THESE weren't meddled with), would be the ONLY way you could tell.
You would need a Proactive system. Like what our Crunchbox can do. http://shopip.com has a link that allows you to play with such a system. What this means, is that when the IDS is "triggered", only the ATTACKER is instantly blocked, so their attempt will be un-sucessful.
An IDS coupled with an automatically configurable firewall is going to stop most attacks. But most IDS sytsems do NOT communicate with the firewall and take instant action.
John
Shopip
Wow!!!! The legendary Captain Crunch....no way....
I have seen the article about your CrunchBox in a security magazine "Information Security" maybe?....can't remember. I am very excited about getting to try it. I work for a consulting company and we are looking for a good NIDS box to market. Let me know if you are interested in giving us some info on it....I will email you my contact info.
BTW...i loved your tv special about "hackers" with Woz and Mitnick....
capn crunch was my fav cereal as a kid. :) Product looks good.
iNViCTuS - I tried to Email you, but it bounced. Email to me: crunch@shopip.com if you want to talk to me privately.
Whoa.. it's THE Captain Crunch.. What an honor. One of the worlds greatest hackers/phreaks of all time. If for some odd reason there's some one who dosen't know who John Draper is, here's a link to his site: http://www.webcrunchers.com/crunch/P...tory/home.html
I look forward to reading more of your post and threads.
Regards,
Remote_Access_
I have to say. It's an honor to finally meet Cap'n Crunch. And here at our own AO Forums! Well Cap. . . . Just wanted to say Welcome. I hope you enjoy ur stay here at AO. Looking forward to reading your posts. Take care.
- Rogue :firedevil
RogueSpy here is another link you may need. www.chapstick.com
Nobody like their ass kissed with chapped lips....
Bite me Quad! :P
Thanx, I'm honored to be here, but tommorrow I travel to Instanbul Turkey to speak at a security conference. So not sure if I'll have an opportunity to particiapte while on my trip. Perhaps when I get to Amsterdam, I might have time to do this.
Crunch
Captian....Nice to see a fellow Californian here. Stockton huh....nice place. I am here from Sacramento.