Hi sammy, To be able to prevent an intrusion, you either 1) have to know that there's an attempt or a current intrusion ongoing or 2) deny services that may be exploitable from the intruders.
In the first case, IDS's help notify you if there is an ongoing attack which you may act upon accordingly, and even in real time. There are 2 types of IDS's, one is passive which just notifies you of an attempt or an intrusion, and the other is active which takes appropriate actions whenever an intrusion is detected. To be an IPS, one step may be blocking every port in the system, or turning off services which may be points of attack. Or, at the worst case, take the host off the network, and take away the peripherals like the mouse, keyboard, and monitor. But I'm sure you would also like to turn the power off, so that there would be no intrusion possible. :P Anyway, I digress. To prevent an attack, you have to properly secure your system/network so that the services you want up are up, and the probablility of an attack/intrusion approaches 0. Now, in case there is an attempt, then you can prevent the attack by doing some things with an active IDS (e.g. block the traffic from the attacker's host, plug the port via the iptables/firewall software, and even disable the account on the system with malicious intent). Prevention is better than cure. However, prevention doesn't stop everything -- it's nice to know that you have a second, third, ..., nth line of defense. If i was missing the point here, would you please give me an idea of what an IPS should be? HTH. On Fri, 1 Aug 2003 [EMAIL PROTECTED] wrote: > thanks...but i'm not asking for inputs on ids....but on IPS. > ...intrusion PREVENTION system. > > thanks. > > sammy > > > -----Original Message----- > From: Joshua San Juan [mailto:[EMAIL PROTECTED] > Sent: Fri 8/1/2003 12:41 PM > To: [EMAIL PROTECTED] > Cc: > Subject: Re: [plug] linux ips > > > > > >From: Dean Michael Berris <[EMAIL PROTECTED]> > > > >there are active/passive IDS's like snort and portsentry, which could be > >... [ snipped] ... > > As far as my experience (last time I used it was a year ago) goes with > portsentry, you have to be very careful with its configuration - set the > configuration to be too "sensitive" and you risk blocking valid > connections. > > > -- > Joshua > > _________________________________________________________________ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > -- > Philippine Linux Users' Group (PLUG) Mailing List > [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) > Official Website: http://plug.linux.org.ph > Searchable Archives: http://marc.free.net.ph > . > To leave, go to http://lists.q-linux.com/mailman/listinfo/plug > . > Are you a Linux newbie? To join the newbie list, go to > http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie > ########################################### > > This message has been scanned by F-Secure Anti-Virus for Microsoft > Exchange. > For more information, connect to http://www.F-Secure.com/ > > > > -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
