Menu
▾
▴
Re: [Snort-inline-users] To bridge or to route ?
|
From: Josh B. <jos...@li...> - 2005-05-17 15:20:32
|
Snort-Inline just blocks the malicious portion of a stream of packets. I= t does not create firewall rules to block for an amount of time unless you configure it to do so. By default it only blocks that malicious content, so if you are spoofing an address you cannot create a DoS situation unles= s you overload the IPS device because it is only dropping those malicious packets (instead of everything from that network and or IP address). Or at least that is my understanding. > Hi > > I am new to IPS and I have been doing some research to try to > understand what is the most effective way deploy IPS. I read this belo= w > > There can be problems introduced by IPS and the primary one is comprise= d of a denial of service attack. For example, if I know a specific IP address is running an active intrusion blocking system, I can spoof an attack from microsoft and google, which the active IPS will respond by putting the appropriate IP addresses into a block list, either timed or permanent, depending on the configuration. As if that's not bad enough, what if I could cause it to block out your upstream DNS? Or a zone server? Or your upstream router? Yes, I can find that out with a traceroute. Or your default gateway? I can guess that one in 255 attempts. This has traditionally been why network admins have been reluctant to install active intrusion blocking. Perhaps SonicWall has mitigated all of these risks. I would want to know this before I implemented one. > > If attacks can be made be utilising I have one simple question is it easier or more effective to deploy IPS on a bridge or a router? > > chris > > > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --=20 Thanks, Josh Berry | CISSP GCIA Principal Engineer LinkNet Security Solutions 469-831-8543 jos...@li... --=20 Thanks, Josh Berry | CISSP GCIA Principal Engineer LinkNet Security Solutions 469-831-8543 jos...@li... |
