IPS-Mode Vs. IDS-Mode with Shunning

Unanswered Question
Jun 5th, 2007
User Badges:

Hi,


I would like to ask about any possible limitations for an IDS configured for shunning connections by integrating with a Cisco ASA; I have the following questions in this regard:


1- Is it the particular malicious traffic which will be blocked, or the complete IP address and port number from which the attack is received which will be blocked?


2- How long will the ACL added for shunning remain in the ASA config?


3- Will the first packet reach to the victim, and if so what would be the implications?


4- Are there any advantages for the IPS mode over the IDS mode?


Regards,

Haitham

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
m.sir Tue, 06/05/2007 - 05:44
User Badges:
  • Gold, 750 points or more

1) You can specify two block actions on IPS

1a) Request Block Host (sensor blocks all traffic from the host that triggered the signature)


1b) Request Block Connection (blocks only traffic from the host to the destination port of the traffic that triggered the signature


2)You can specify "block time" on IPS - The default blocking duration is 30 minutes


3)Because IDS is outside of the forwarding path, one or more attack packets might reach the target before the response action can be activated ... How is it serious??? It depends for some attacks its no problem BUT IDS cannot stop fox example Atomic attacks that use only one packet for the attack

4) Its INLINE function - IPS is Positioned directly in the packet-forwarding path as a Layer 2 bridge Analyzes data as it travels

between two interfaces.

IPS also has Aplication level inspection

and Risk rating features what IDS hasnt

M.





Actions

This Discussion