Shall we define "firewall" and "network" while we're at it :) I don't think anything more than a general concept is possible. Surely, tripwire is an IDS of one type - a file integrity checker that detects changes that may be made after an intrusion. Well, actually, it could detect a change before an intrusion - a modified root .profile for example. (One could argue that a system having a root .profile with permissions allowing this sort of thing is a system that is already compromised but the same argument could be made about a system with an old version of wu-ftpd running. :) While IDS products that trigger on network traffic can certainly be more proactive because the bad guys are still knocking at the door, if they detect a successful wu-ftpd exploit they are no more proactive than tripwire detecting an inetd.conf change or an AV product detecting Subseven. Hmm, actually at least the AV product stops Subseven from running. If the IDS system blocks the traffic associated with the wu-ftpd exploit, then we're talking about a Prevention system and we delve into another round of definitions. One could say a firewall should do this...or a device that blocks such an exploit IS a firewall with an intelligent ftp proxy :) Whether the IDS detects a successful wu-ftpd exploit or tripwire detects the signature of a root-kit, someone has to be notified. Scripts are wonderful things that can make something simple like tripwire into something much more dynamic and proactive. The key is to detect an intrusion and tell someone about it. Defense in depth. One more issue to consider is that a signature based IDS is just as vulnerable to a rapidly spreading new threat as is AV software. A new worm using a new exploit is going to go through either of them like water through a sieve. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
