Hi, PAM is the Protocol Analysis Module which was developed by Network ICE in their Sentry, (Network Sensor), Guard, (in-line IPS) ICEAgent for Server (Server Sensor)and ICEAgent for Desktop (Desktop Protector). Since the purchase of Network ICE PAM has been gradually ported over to a number of ISS products to complement the existing weaker Signature based detection. The log filwe trailing capabilities where appropriate have been retained as Network ICE did not cover this.
PAM basically is very fast packet decode and analysis, very similar to Sniffer if you know that as the same guys developed it who wrote Sniffer, the difference is that PAM is many times faster in decoding than Sniffer was. Taking windows as an example the simple methodology is that PAM in conjunction with other software enables a decision to be reached before the packet is applied to the upper layers of the ISO model hence an attack can be detected and blocked BEFORE it does damage hence the term Intrusion Protection asd opposed to Detection! Whilst all the older practices of RSKill etc are still maintained they are now almost redundant as the PAM makes it possible to close a port and drop an attack independant of any need to configure a RSKill, in addition as most new attacks are made up from parts of old, and the PAM is looking at the connection layer and monitorin the session it is possible to observe protocol anomalies and packet content and actually block new exploits without a signature. (Cool huh?) I installed the first prototype Guard from Network ICE in London on a vital link in 2001, (talk about taking risks!!) and it actually detected and stopped a new very serious exploit before it was made public! (cannot remember if it was code red or Nimda!). PAM and RealSecure Guard are the absolute stars of the IPS World, Guard handles 100MBps full duplex at theoretically 100% load and if you install it behind your Firewall in-path it protects all internet incoming attacks and by nature all desktops that are browsing internet! (I absolutely LOVE RealSecure Guard, we have put in hundreds and they work, unless we have to "tap" for dynamic load balanced links we always install Guard rather than Network Sensor with Server Sensor on all servers to protect from internal attack and desktop protector on remote notebook PC's, in my humble view Network Sensor is yesterday's way of doing things.) This is what makes ISS products the strongest in the market today. The PAM was incorporated into Network Sensor and Server Sensor with 7.0, it was always in Guard and desktop protector. Hope this helps! John John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 865026 | 07730 989255 This electronic message contains information from Tolerant Systems, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 1:30 AM To: [EMAIL PROTECTED] Subject: [ISSForum] PAM and Sensor Version 7.0 Hi Can anyone help answering the following questions ? A) PAM What is PAM and how does it work ? Does it only appear in network sensor 7.0 and server sensor 7.0 but not earlier versions ? Where can I find an official documentation on it ? The only thing I can find is the "Server Sensor Advanced Tuning Parameters Reference Document" but none for the network sensor. I don't think it explains the concept clearly either. B) Server sensor 7.0 Why is there suddenly a server sensor 7.0 for HP-UX but not for Solaris while there was only 6.5 for Solaris only ? Are they planning to release a 7.0 for Solaris too ? It is so confusing to me. TIA Bernard _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo -- Is anybody else reading your confidential e-mails? If you need to be SURE that they are not, find out how by clicking below. http://www.tolerant.com/products/spotlight.asp This electronic message contains information from Tolerant Systems, which may be privileged or confidential. The information is intended for use only by the individual's) or entity named above. Be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above)immediately. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
