Commenting on an email I read earlier today, some people apparently still have the misconception that an IPS simply sends an RST packet, and therefore, shortly after a session that is taking place between two parties should die.
A real IPS, in my opinion, has full control of the traffic. Cable one, exits firewall, enters port 1 on IPS, cable 2, exits port 2 on IPS and goes to switch.
While the traffic is passing through the IPS, the engine (in Sourcefire's case -- Snort) makes the decision if the traffic that entered port 1 should be allowed to go out port 2 and vice versa.
Can Sourcefire's devices send RST packets? Sure! But why would you want to give away where your IPS was on the network? Why not just silently drop the connection into the big bit bucket in the sky and go on about your day?
Oh. And do this at >10 Gig a second? Yeah it's awesome.
Please leave comments below.
Over the past several years my job here at Cisco Talos has changed drastically. I took on new roles, which is awesome and exciting, but in ...
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
1. I don't feel like I have much to say. I do a tremendous amount of writing and blogging on the Snort, ClamAV, and Talos blogs. So...