hi!

i will, but i have my hands full with Fedora Directory Services.
Thanks for your vaiuable input.

God bless.

Some past presentations and thoughts on IPS

I wrote a full-blown, anomaly-detection HIPS for Linux with automated response and also have done a lot of work both developing and deploying NIDS in the past. I have a strong bias AGAINST NIPS. The network is just not the place to detect most kinds of attacks. That being said, certain aspects of network behavior are easy to monitor and detect abnormal traffic that is highly indicative of worm activity etc., and there are systems like Arbor's Peakflow X that do that and implement semi-automated responses to limit the spread of the worm. Understand that such detection of worm activity does not require deep inspection of the network packets.

Implementing any kind of "deep inspection" and "protocol verification/anomaly detection" requires a large amount of error prone code to implement (how many vulnerabilitiese have been found in Snort, tcpdump and BlackICE/RealSecure?). More code means more bugs, which highly correlates to the presence of vulnerabilities. I will ask this question: why greatly increase your attack surface to detect known vulnerabilities? Some additional attack surface may be worthwhile to detect unknown attacks, assuming that a suitable automated response can stop the attack before it delivers its payload. The following link is to the archive of my presentation on the need for automated response from Black Hat 2004:
http://www.blackhat.com/presentation...-brezinski.zip
This link is a great talk from Eugene about circumventing some ill-conceived HIPS technology:
http://www.blackhat.com/presentation...syrklevich.pdf

I think certain forms of HIPS are very valuable as a layer of defense against unknown attacks, but there are only a few technological approaches that make sense and are not easily defeatable. Few of the commercial products meet that bar currently. Soem of the products will get better.

One thing that you should be clear on is that with IPS you are often trading sacrified availablity for protection against a compromise of integrity. A real world example was a worm that exploited a vulnerability in the RPC server service in Windows, and a certain commercial HIPS product detected the exploitation and killed the RPC server process. Windows automatically reboots a short while after it detects the RPC server process has died, which means the HIPS' response caused most of the Windows machines in an organization to do rolling reboots as long as the worm was active in the network. The HIPS did keep the worm from infecting the protected hosts, but the hosts were totally unuseable until the worm was entirely erraticated from the network.

I've only been using SNORT for a few weeks, as I get about ten people a week try to hack into my CS server. McAfee seemed to be useless to me, as all it did was restrict internet access and potential virus d/'s (which were actually just normal programs). SNORT automatically looks into the potential malicious strings and sorts them out without me having to worry.

ITS SEXY.