Intrusion Prevention System

Dominic White

 
Random Entry: John Richter and the Dread Disease
< Death and Cancer | The World According to Bush >

Intrusion Prevention System

I was wondering what the best way of coupling the firewall and IDS are. Then I found snort-inline.
From the page:

snort_inline is basically a modified version of Snort that accepts packets from iptables, via libipq, instead of libpcap. It then uses new rule types (drop, sdrop, reject) to tell iptables whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. Think of this as an Intrusion Prevention System (IPS) that uses existing Intrusion Detection System (IDS) signatures to make decisions on packets that traverse snort_inline.

This is exactly what I am looking for in setting up my PoC model of my architecture.

I have been feeling the need to create something for my project instead of a cop-out best practises only type thing. I realise there is value in that.

Incidentally I just asked Jason Chan of @stake research to have a look at my paper which I based on his. I think he would have some excellent feedback.

Anyway back to the point. I am thinking of doing two things.
  1. Create a linux distro that implements my architecture. A Knoppix style distro that would provide an example set-up.
  2. Reverse engineer M$ SUS so that a Unix server can be implemented. This will allow a Unix server to distribute patches to M$ machines. This would also be integrated into the distro above.
I need to read more and see if there is a call for this sort of thing and that people haven't done it already.

UPDATE 21st Sept

Thanks to Fred Avolio for pointing out here that intrusion prevention is nothing new and was called 'active security' by Network Associates back in 1999. Us newbie's need to learn.

Friday, September 17. 2004
Posted by Dominic White in Masters
Comments (0) | Trackbacks (0)

Last modified on 2004-09-21 02:23
 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA