> Given. Still, it works at the application layer, otherwise it is a > cunningly-renamed stateful firewall which performs deep inspection.
Absolutely, which I think underscores the point I was driving at, but never actually said, which is that the difference between the devices is primarily that of what network layer it's operating at. As with any network devices, as the field advances, we're going to see this line blur. >> Unless it is an IPS, in which case > > In which case it is not an IDS, and thus not in scope with the original > question :) Now that's splitting hairs. :-) The market has really shifted from IDS to IPS, and I'd be hard pressed to name a network IDS that didn't have an active response version or add-on. >> The difference I'd see is that network IDS/IPS devices typically look >> for specific signatures (sequences of bytes, regular expressions, >> certain flags set in the headers, etc) on a session (TCP, UDP, ICMP) >> or network (IP) level packet. > > Counterexamples: Arbor, Lancope Keyword: "typically". Even among the traditional signature based IDSs, many use some more advanced algorithms to detect (and possibly block :-) DoS attacks, where simple threshholding is insufficient due to the false positive rate, especially in the face of (legitimate) flash crowds. (I'm not claiming those algorithms are perfect, or even good, just better.) Arbor and Lancope both offer interesting options in the network anomaly detection department, and there's a plethora of research systems using more advanced techniques. Of course, we don't currently have the means to quantitatively test such systems, which is where my current research interests lie. >> Most can do some degree of session >> reassembily, but only in so far as to catch signatures which are >> divided across multiple packets. > > I'm pretty sure that Martin Roesch, if he reads, will have something to > say here :) Oh, certainly -- in fact I would love to hear his thoughts in this area. Cheers, Terry #include <stddisclaim.h> ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
