Osario, ISS has being offering Intrusion Protection for a long time! The technology is not new, it was established and proven by Network ICE in 1999 who were subsequently merged into ISS. The ISS Network Sensor, Guard, (in-path system --really cool!), ServerSensor and desktop protector all use the ICE technology which is not reliant on signatures alone for detection and prevention. (Signatures can still be really useful in very fast prevention of DoS attacks before the packet had been fully decoded!) The ICE system uses full 7-layer protocol analysis with heuristics hence detects attacks that are not even known about yet! (example, our system detected and prevented Code Red before it was even announced!)
The concept of "marking" is theoretically good but false negatives and positives can abound, for example, I see many apparent "scoping" packets which are actually remote applications scanning ports legitimately, and the ports scans change, I do NOT want this traffic "marked" and later blocked, some of our specialised applications would not work any more! The other issue is that internal hacking cannot really be effectively handled by Network based boxes and sensors, you need software on the Server such as ISS server Sensor. There are more issues on a good prevention system than you can shake a stick at, ISS specialise in this area and their Resellers work with you to provide a solution that will work! I see so many releases of wonderful "appliances" that will do IDP, content Scanning, AV etc, every month, I have yet to find anything to beat good individual products from proven specialists like ISS. I am always open to new ideas, but that is what they usually tend to be. I recentlly trialled a "wonder box" for all the above and it worked well until I tried complex attacks like fragmented packet attacks, the content filtering was just a limited URL filter and the Av was the only part that worked well --- up to 200 users, after that the box began to fall apart! hope this helps John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 10:22 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [ISSForum] INTRUSION DETECTION vs INTRUSION PREVENTION My company is looking into intrusion prevention instead of ISS IDS. Does ISS have any plan to fully incorporate intrusion prevention into their architecture? We are currently looking into two companies --- OKENA.COM and FORESCOUT.COM Any thoughts on those two companies? Thanks Osaro Osagie CCSA, CCNA, CISSP ALLTEL Information Technology _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
