[unisog] IPS

Bauer, Steven J. Steve.Bauer at sdsmt.edu
Wed Feb 9 18:10:05 GMT 2005


Would the spoofed ips really be a problem depending on where the ips is
deployed at?  Normally, the spoofed ip packets should be blocked by some
router(s) that have an idea of what ip packets they should forward.
Basically, the defense in depth method rather then depending on one
device to do it all.

Steve

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Wednesday, February 09, 2005 10:09 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] IPS 

On Wed, 09 Feb 2005 11:30:12 EST, Wes Young said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> but what about the IPS's that only block the bad traffic, in theory,
> shouldnt an ips only block those packets that are spoofed, and not the
> one's that (it detects) are real?

And it tells the difference, *how* exactly?  If you were to see a TCP
SYN
packet coming from 128.173.14.107, how do you know it came from my
laptop
and not some host in Taiwan? (Remember you'll almost certainly receive
the
packet from the same upstream router in either case, unless you're a
multihomed
ASN and you *know* why UPRF filtering doesn't work for you. ;)

> day to day buisiness.... If it detects a spoofed IP it should drop
it...
> but if reg traffic is mixed in there, it should only drop the
spoofs???




More information about the unisog mailing list