IPS is a new term that was probably coined up by some marketing person. ISS has a product call Guard (former BlackICE product). This is an inline IDS, similar to hogwash. It could be an "IPS". The product that Okena has is like an application layer IDS. It has some good points to it as well as some bad ones. I would use it to compliment the ISS infrastructure that you already have (assuming you have one). The Forescout product is a not a good one in my opinion. It acts more like a honeynet in that it will advertize fake services. When an attacker hits one of these fake services it will send back special data (i.e.tag data) that will be used later on in tracking the attacker. The tag data is then looked for in all incoming packets that meet certain rules. If the tag data is present the forescout product will block the intruder. Here is the problem I have with it...If a worm scans my network and finds all these servers that are exploitable (forescout faking the services) it (the worm) will send an malicous packet to that server. This can eat up some pretty good bandwidth (depending on your Internet pipe). Plus if this information about these fake servers is shared with other hackers or worm infected boxs you are going to be inviting a lot of unwanted traffic. Why invite all this junk on your network? Why advertise services that you don't have open? With the new 7.0 network sensor ISS has moved to a hybrid protocol anomily based/pattern matching NIDS. This system can find many things that ISS realsecure could not before. Since I have installed them on my network we are finding out about many more attacks and recon events that we did not see before. I am also finding a lot of misconfigured servers on the network. If you use the 7.0 product correctly you can do some pretty cool things. If you use CheckPoint Firewall-1 you can enable the OPSEC blocking feature. This way you can stop an attacker during he recon attempts. Most times the attacker will be caught early enough so that he/she does not find anything on your network and moves on to someone else.
If you would like to talk more about this email me offline and we can chat. Neil _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
