On 7/26/05, Swift, David <[EMAIL PROTECTED]> wrote: > And how would you propose to block something you can't detect? > > IPS actions are always on patterns of data, either packet level, or > based on anomalous behavior (statistical, historical, protocol...). > > To argue otherwise is incomprehensible. >
why -not- block something you can't understand? why are we giving up on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall' to 'ips')? handshaking does exist beyond TCP...applications, authentication protocols, etc. all have 'handshakes'. if you authorize enough basic application traffic (i'll bet most of us use only a handful of applications anyway), i think you'll probably close many gaps. IPS/layer7 firewall isn't the answer, but something must be out there for this purpose. On 7/26/05, Swift, David <[EMAIL PROTECTED]> continues: > RDP is an allowed protocol to Windows. A Null Session is perfectly > legitimate to Windows operating system. CAT /ETC/PASSWD is a > perfectly valid Unix command. you've lost me here...are you saying that just to jam a square technology into a round role? you'd allow any access to /etc/passwd from the outside into your DMZ? from a non-administrative workstation to a server? i wouldn't. why not block traffic you're not supposed to see? yes, block requests to /etc/passwd (and other naughty actions) across all ports from the outside world into your dmz. why wouldn't you? /will ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
