TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Here's information regarding what we are building to enhance our blocking
capability.
At Internet Security Systems, there is significant functionality being
developed to our overall intrusion detection system, RealSecure. In a
project codenamed, �micro engine�, there is now the ability to monitor the
TCP/IP stack at the host IDS layer with similar type attack signatures that
was previously only in the network based IDS RealSecure component. By
evolving the network based intrusion technology from monitoring a network
segment to be included in the host based IDS solution, it provides a
solution to issues that face network-based only solutions. Typical issues
that are facing network based IDS include faster bandwidth speeds, switched
networks, and encryption. To provide a solution, a hybrid intrusion
detection system with multiple layers of monitoring gives the widest
effective coverage.
Increasing Network Bandwidth
As network bandwidth requirements increase in speed, the ability to analyze
network based attacks can be solved by allowing servers to monitor their own
TCP/IP stacks. Rather than watching millions of packets that go across the
network segment, the host based IDS can protect the important servers by
focusing only on packets destined for them.
Switched Networks
As more networks become switched, the ability to monitor network segment
traffic decreases. Micro engine can gain visibility at the server level of
these network attacks. By deploying host based IDS across all the important
servers, the ability to monitor each of these servers become possible even
in a switched network environment lacking monitoring ports.
Encryption
As the future standards for network traffic protocols add encryption, at the
network segment-monitoring layer, network based IDS can only see scrambled
data. If we can gain access to the decrypted packets at the host layer,
RealSecure can monitor the appropriate decrypted packet for attack
signatures. By getting access to the packets within the stack after they
are decrypted, host based IDS can do content analysis.
Better Blocking
Additionally, many more attacks can be effectively prevented at the host
layer when RealSecure host based IDS detects them and blocks them before the
information packets reach the applications and operating system. Network
based IDS can send resets to TCP based connections and reconfigure routers
and firewalls in an attempt to react to an attack. These may not be
effective or granular enough for proper protection. Micro engines can
enable host based IDS to easily and with more granularity block TCP, UDP,
and ICMP based attacks at the server level.
Do I still need RealSecure network engines?
Micro engine technology is complimentary to RealSecure network based IDS.
RealSecure network engines can monitor machines that cannot run RealSecure
host IDS and have a low total deployment cost of watching many connected
machines. RealSecure network engines are harder to detect with better
stealth capabilities.
Supported Platforms
The current beta micro engines will run under Windows NT and Solaris UNIX.
Status
Micro engine technology is currently in beta and ISS is looking for beta
testers. There is a limited beta offer to current ISS customers and not
open to the public. If you have interest in beta testing the micro
engines, please contact Dan Nadir ([EMAIL PROTECTED]) and request to be on the
beta contact list.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Irwin, Tim A
> Sent: Friday, January 14, 2000 12:30 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: The Engine detected a PmapDump how can i know if it was
> blocked or if it was success?
>
>
> I have concerns that some things are not being killed...
>
> I run Wietse's rpcbind wrapper on my machines and I still see people
> trying to scan RPC ports (via syslog), even though I have the kill
> option set in RS. It's that multiple-layer defense strategy I
> suppose... call me paranoid.
>
> -Tim
>
> -----Original Message-----
> From: RENTERIA TABARES JUAN [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 13, 2000 9:11 PM
> To: [EMAIL PROTECTED]
> Subject: The Engine detected a PmapDump how can i know if it was blocked
> or if it was success?
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
> ------------------------------------------------------------------------
> ----
>
>
>
> I was reviewing the logs of my server and checking the email,
> it notifies the following message (also was displayed on the
> engine console):
>
> 'PmapDump' event detected by the RealSecure engine at 'server'.
> Details:
>
> Source Address: 24.x.x.x
> Source Port: 828
> Source MAC Address: 00:xx:xx:xx:xx:xx
> Destination Address: ip my range
> Destination Port: Portmap (111)
> Time: Thu Jan 13 20:03:11 CST 2000
> Protocol: TCP (6)
> Priority: high
> Actions mask: 0x245
>
>
> How can i know if the ENGINE, killed the attack when it was
> detected, in the policies i have checked the kill option for the
> RPC Attack, also checked the email notification, i was notified
> by email, but i don`t know if the ENGINE really killed the
> attack?
>
> Is there a way to know that the attack was killed succesfully.
>
> Tkz, From Mexico.
>
>
>
>
