Commenting on an email I read earlier today, some people apparently still have the misconception that an IPS simply sends an RST packet, and therefore, shortly after a session that is taking place between two parties should die.
Nope.
A real IPS, in my opinion, has full control of the traffic. Cable one, exits firewall, enters port 1 on IPS, cable 2, exits port 2 on IPS and goes to switch.
While the traffic is passing through the IPS, the engine (in Sourcefire's case -- Snort) makes the decision if the traffic that entered port 1 should be allowed to go out port 2 and vice versa.
Can Sourcefire's devices send RST packets? Sure! But why would you want to give away where your IPS was on the network? Why not just silently drop the connection into the big bit bucket in the sky and go on about your day?
Oh. And do this at >10 Gig a second? Yeah it's awesome.
Please leave comments below.
Subscribe to:
Post Comments (Atom)
-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so... -
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
What kind of crap is this? "Effective December 1st, 2007, all new GIAC certification attempts and re-certification attempts are require...
1 comment:
[...] research Roock RST 650 - Specialty File. Visit CARandDRIVER.com now for the latest automotive news.IPS's don't just send RST packets. | FinshakeCommenting on an email I read earlier today, some people apparently still have the misconception [...]
Post a Comment