In my days through the net I have only come accross an IDS that retaliates once. It essentially 'nuked' back on any illegal connection or connection request. Just like everyone else I would make the call that itsa bad idea simply because of the effect it can have on "owned" computers.
Peter Francis Owner/Operator -= KoRe WoRkS =- Internet Security http://www.koreworks.com/ Is your site really secure? >From: "Thomas Porter, Ph.D." <[EMAIL PROTECTED]> >To: "'Carr, Aaron [CNTUS]'" <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]> >Subject: RE: IDS that retaliates. >Date: Wed, 6 Mar 2002 11:05:18 -0500 >MIME-Version: 1.0 >Received: from [66.38.151.26] by hotmail.com (3.2) with ESMTP id >MHotMailBE52105D00984004325C4226971A88180; Fri, 08 Mar 2002 06:06:26 -0800 >Received: from lists.securityfocus.com (lists.securityfocus.com >[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid >6F4E68F2F4; Thu, 7 Mar 2002 13:19:02 -0700 (MST) >Received: (qmail 14381 invoked from network); 6 Mar 2002 16:03:44 -0000 >From security-basics-return-9240-koremeltdown Fri, 08 Mar 2002 06:06:59 >-0800 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Message-ID: <003b01c1c528$b5cd2a10$[EMAIL PROTECTED]> >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook, Build 10.0.2616 >In-Reply-To: ><[EMAIL PROTECTED]> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >Importance: Normal > > >Keith McCammon has already mentioned that retaliate almost always means, >"Active Response". There are a number of good technical, legal, & >business reasons for not choosing to actively respond in an enterprise >environment. >In fact, I don't know of anyone outside of a lab environment who has >turned on "shunning". I'd be curious if anyone is using it... > >Thomas Porter, Ph.D. >Scorpion Point Security >[EMAIL PROTECTED] >919.824.9577 > >You may wish to clarify your meaning of "retaliate". When I think >retaliate, I think an equal or greater reaction to the probe or attack >in question. You may simply be saying take effective counter-measures, >such as performing a shun on a host or network, which is already >available in multiple products. One such product is the Cisco secure >IDS in conjunction with other Cisco network products. For more >information on that, see >http://www.cisco.com/warp/public/44/solutions/network/security.shtml. > >Hope that helps. > >Aaron Carr, CCNA, MCSE >Technology Integration >Systems and Process Support >Clinical Research and Development >(610)651-7321 (Voice) >(610)651-6242 (Fax) >(610)721-6366 (Mobile) >[EMAIL PROTECTED] (Text Pager) > >The information contained in this e-mail and any attached files, >including replies and forwarded copies, are confidential and intended >solely for the addressee(s) and may be legally privileged or prohibited >from disclosure and unauthorized use. If you are not the named >addressee you may not use, copy or disclose this information to any >other person. If you received this message in error please notify the >sender immediately and delete all copies of the email and associated >files. If you are not the intended recipient, any form of reproduction, >dissemination, copying, disclosure, modification, distribution and/or >publication or any action taken or omitted to be taken in reliance upon >this message or its attachments is prohibited and may be unlawful. Any >views or opinions presented are solely those of the sender and do not >necessarily represent those of Centocor, Inc., or Johnson & Johnson. > > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, March 05, 2002 12:23 PM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: IDS that retaliates. > > > > >Hi > >I read a long time ago that some goverment agency in the US was working >on a IDS that could retaliate. I wonder if someone has any information >on any IDS that does that, or any ideas on how to make an IDS that in >return of an event triggers different securitymeasures. > >Thankfull for all replys. > >Regards >Charles >--------------------------------------------------------------------- >Charles Skoglund, OM AB (Norrlandsgatan 31) >SE-105 78 Stockholm >Email: [EMAIL PROTECTED] >Phone: +46 (0)8 405 64 90 >Mobile: +46 (0)70 597 52 32 >Switchboard: +46 (0)8 405 60 00 > > _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
