Len,
If you just can't say anything valuable to this discussion, just don't say
nothing!
IPS is a support for security allowing an 'in depth security'. IDS/IPS can't
be considerer as a Firewall replacer.
So, if you can create a great security infrastructure simply based on
firewalls, congratulations to you!
I think this is getting wrong way for this malling list.
Rogério,
In my opinion the exam did not use/focus on third party softwares. The
exam should focus on mass softwares/solutions and securing it. Like Apache,
Squid, Kernel, QoS, ToS, Iptables, Snort, 802.1x authentications and others.
What do you think?
Best Regards for you all!
2008/7/28 Lennart Sorensen <[EMAIL PROTECTED]>
> On Mon, Jul 28, 2008 at 02:50:02PM -0300, Rogerio Ferreira wrote:
> > I am new in the group. I would like to give a suggestion for exam 303: To
> > include one question about IPS (Intrusion Prevention System) HLBR
> (Hogwash
> > Light BR) in the exam.
> >
> > *About HLBR:*
> >
> > HLBR is a brazilian project, started in november 2005, as a fork of the
> > Hogwash project (started by Jason Larsen in 1996). This project is
> destined
> > to the security in computer networks.
> >
> > HLBR is an IPS (Intrusion Prevention System) that can filter packets
> > directly in the layer 2 of the OSI model (so the machine doesn't need
> even
> > an IP address). Detection of malicious/anomalous traffic is done by rules
> > based in signatures, and the user can add more rules. It is an efficient
> and
> > versatile IPS, and it can even be used as bridge to honeypots and
> honeynets.
> > Since it doesn't make use of the operating system's TCP/IP stack, it can
> be
> > "invisible" to network access and attackers.
> > http://hlbr.sourceforge.net/index.html.en
> >
> > Suggestion of question about HLBR:
> >
> > X) What this rule makes?
> >
> > <rule>
> > ip dst(www)
> > tcp dst(80)
> > tcp nocase(cmd.exe)
> > message=cmd.exe test
> > action=action1
> > </rule>
> >
> > A) ....
> > B) ....
> > C) ....
> > D) ....
>
> Would my answer be considered correct?
>
> IPS is a load of shit that can't possibly work because it involves
> writing rules about what should and should not be permitted and if you
> were capable of writing those rules then you would be capable of
> preventing the intrussion in the first place. Hence IPS in general is
> pointless.
>
> Now the work going into analysing source code of programs to determine
> what is possible behavious (at least as far as system calls go) and
> killing a process when it makes system calls in an invalid order might
> actually provide some protection against exploitation, although it has a
> huge number of unfortunate limitations that makes it unusable so far.
>
> So forget IPS and go setup your firewall properly.
>
> --
> Len Sorensen
> _______________________________________________
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
>
--
Att,
Bruno Guerreiro Diniz
Security Information Consultant
LPIC-1
-------------------------------------------------------------------
WebSite: http://www.portal.datasec.com.br
-------------------------------------------------------------------
E-mail / MSN: [EMAIL PROTECTED]
Gtalk / ooVoo: guioday83
Skype: brunogdiniz
_______________________________________________
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
