Commenting on an email I read earlier today, some people apparently still have the misconception that an IPS simply sends an RST packet, and therefore, shortly after a session that is taking place between two parties should die.
Nope.
A real IPS, in my opinion, has full control of the traffic. Cable one, exits firewall, enters port 1 on IPS, cable 2, exits port 2 on IPS and goes to switch.
While the traffic is passing through the IPS, the engine (in Sourcefire's case -- Snort) makes the decision if the traffic that entered port 1 should be allowed to go out port 2 and vice versa.
Can Sourcefire's devices send RST packets? Sure! But why would you want to give away where your IPS was on the network? Why not just silently drop the connection into the big bit bucket in the sky and go on about your day?
Oh. And do this at >10 Gig a second? Yeah it's awesome.
Please leave comments below.
Subscribe to:
Post Comments (Atom)
Is Evernote going away?
Evidently we don't know if Evernote is sticking around, since there seems to be some panic on the internet about it today. https://app...
-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so... -
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog : Improve JavaScript performance ...
1 comment:
[...] research Roock RST 650 - Specialty File. Visit CARandDRIVER.com now for the latest automotive news.IPS's don't just send RST packets. | FinshakeCommenting on an email I read earlier today, some people apparently still have the misconception [...]
Post a Comment