Monday, November 07, 2005

New Tip Posted just posted a short article I wrote titled Using attack responses to improve intrusion detection. It's about watching outbound traffic to identify intrusions. From the article:

"Network-based IDSes are deployed to identify compromised targets, while network-based IPSes are deployed in an effort to prevent compromise. Both systems must be able to recognize malicious traffic to issue warnings or block offending packets.

IDSes, however, have the upper hand in identifying intrusions, because they have the luxury of generating an alert based on traffic from the attacker to the victim or from the victim to the client. In other words, an IDS can alert on either the inbound attack traffic or the outbound victim response.

But to prevent an intrusion, an IPS must deny incoming attack traffic. An IPS that only inspects outbound traffic allows a target to be compromised. An IPS that makes a block decision based on responses from the victim is an 'intrusion containment system,' not an IPS."

I've contacted the site editor to see if they can fix the corrupted Windows command prompt output.


interested said...

So what do you think about:
The use of more restrictive firewall policies?

Requiring users to authenticate before accessing the Internet?

Restricting Internet access to hhtp, https, ftp and RARELY telnet

We've done this since Internet access was first installed many years ago.

Richard Bejtlich said...

It's all in the new book -- check it out!