Commenting on an email I read earlier today, some people apparently still have the misconception that an IPS simply sends an RST packet, and therefore, shortly after a session that is taking place between two parties should die.
Nope.
A real IPS, in my opinion, has full control of the traffic. Cable one, exits firewall, enters port 1 on IPS, cable 2, exits port 2 on IPS and goes to switch.
While the traffic is passing through the IPS, the engine (in Sourcefire's case -- Snort) makes the decision if the traffic that entered port 1 should be allowed to go out port 2 and vice versa.
Can Sourcefire's devices send RST packets? Sure! But why would you want to give away where your IPS was on the network? Why not just silently drop the connection into the big bit bucket in the sky and go on about your day?
Oh. And do this at >10 Gig a second? Yeah it's awesome.
Please leave comments below.
Joel Esler, Sourcefire, Snort, Immunet, ClamAV, Apple, and Network Security. This is my blog.
Subscribe to:
Post Comments (Atom)
Call of Duty Error 6034 for the Xbox
Several friends and I play Call of Duty nearly every night. However, Activision’s most recent multiplayer update broke the heck out of Call...
-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
-
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
For those of you that haven't heard of DropBox, it's essentially a synced drive that is stored on DropBox's servers (in the clou...
1 comment:
[...] research Roock RST 650 - Specialty File. Visit CARandDRIVER.com now for the latest automotive news.IPS's don't just send RST packets. | FinshakeCommenting on an email I read earlier today, some people apparently still have the misconception [...]
Post a Comment