IPS!! Intrusion prevention systems
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: IPS!! Intrusion prevention systems

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    9

    IPS!! Intrusion prevention systems

    hey fellows

    jus read a paper on the new IPS ie intrusion prevention systems. how practical are they??
    how good are they??

    as the white paper said it was a better chioce than teh conventional intrusion detection systems.
    lemme know some of ur thoughts?? i guess that should the opt today in the networks today

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    You may want to read this existing thread. I think it covers what you are after.
    http://www.antionline.com/showthread...hreadid=221668
    Hope this helps.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    From what I have read, it seems like nothing more then a company trying to make a new buzz word. Basically just an IDS and a firewall combined in one product. Maybe there is more to it then that, but thats the feeling that I have gotten from what I have seen.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    When I think of "IPS" I think of a traditional IDS system with the ability to take action against a live attack. As we know, when an IDS is triggered, there has been an attack and you are being made aware of a comprimise but when an IPS is triggered, it has taken some pre-defined steps to thwart the attack.

    Anyway, that's how I categorize the two.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    I agree with that differentiation between IDS and IPS. Here is a quote from SecureWorks who claim to have "pioneered" IPS:

    The heart of SecureWorks' Intrusion Prevention Service is our ability to prevent malicious network attacks. Traditional Internet security services are reactive and merely detect attacks, notifying the network administrator after the damage has already been done.
    While I agree that one could argue that its semantics or just a buzzword I think that it represents a logical next step in the evolution of the technology. If I can have my "IDS" not only alert me but also protect the network by initiating proactive measures to block an attack I would rather have that over the simple alert notification.

  6. #6
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    so could this be easily done by dropping the malicous packets/data?
    are we going to see IPS kernel patches, etc... anytime soon?

    -that would be kind of neat...

    [off subject]
    btw- tonybradley, sorry about being harsh earlier about the spam...
    you seem like an OK fella! c-ya around
    [/off subject]
    yeah, I\'m gonna need that by friday...

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Good post Tony,

    Let me play Devil's advocate for one moment on this topic.

    I did a proof of concept with IPS systems for a very large facility (10,000 + users). The network architecture included hundreds of routers, switches and a handfull of firewalls. Now, Cisco makes IDS/IPS products and since we tend to lean towards their products, we picked the 4250 series IDS/IPS appliance for our test.

    THE RESULTS
    =====================
    Since I know the canned countermeasures that the IPS will perform (easily obtained from Cisco), I can actually cause a DOS attack using the organization's IDS/IPS system. Since about 75% of all attacks come from inside your firewall, you can imagine what one can do to routers when tripping the IPS. In my case, the IPS noted that it sensed an attack, wrote it to the log and it pushed out changes to some core routers to fend off the attack. The changes shutdown web access. In the end, I had to manually go back and reset the rules on all the routers to restore internet connectivity.

    Now with carefully designed organizational procedures, the downtime will be minimal. I just like to cover every angle as it really sucks to be nailed with scenarios like this from top management and not have a suitable response ready.

    Anyway, hope this helps out!

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    There is a product out there called ForeScout that is an IPS that works in a slightly different way which you may find of interest.

    The way it works is that it sits monitoring the incoming traffic outside the firewall looking specifically for the reconnaisance phase of an attack. What it then does is send false information back to the attacker and logs the attacker and the kind of information it sent back. It then sits and watches any contact with the "services" it had misrepresented. Since the "services" don't exist they can _only_ be as a result of the attackers reconnaisance and therefore can only be an attempt at further reconnaisance or an exploit itself. Thus it resets the connections and can call a Checkpoint, (I believe), firewall and block the offending IP.

    You will note that at no time does it rely upon attack signatures bit more interestingly on reconnaisance signatures. It's response is entirely dependant upon the misinformation gleaned by the reconnaisance therefore technically is a proper defense against zero-day exploits and well known ones.

    I have read more deeply about it and spoken with one of their reps. I do not know how well it works nor do I really wish to experiment with it..... Just thought you might like to know it's there and it is technically viable protection.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yeah, I have seen appliances that respond exactly the way you have described. I should have noted that you can setup the Cisco appliance to operate in this mode too. Unfortunately, you will need two of them should you want to filter internal and external traffic. Good info Tiger!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Isn't IPS just a fancy way of saying Firewall? any how...it can't be much more than either a firewall or an IDS with an Automatic IP Block function.....hmm...might be a system hardener though..I dono...too late to Google it now...going to bed... I'll look over ittomorow If I get time.

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •