[unisog] Intrusion Prevention

Gary Flynn flynngn at jmu.edu
Thu Jan 9 19:01:56 GMT 2003


kamal hilmi othman wrote:
> Hi All,
> I'm looking for alternative solution (Open Source) for Intrusion
> Prevention System. Therefore I'm seeking an experience for those that
> has had deployed stuff like Hogwash , SnortInline or PFSessionLimit.

Depends upon where you want to put it.

If you want to put it inline on an academic DS3 Internet connection
with a significant number of rules, I think the IDP will require
hardware support (i.e. ASIC) and state/protocol awareness in the
architecture to manage the multitude of sessions and keep up with
traffic.

If you want to deploy it on a lower speed line and/or
limit the number of checks, a simpler architecture may
suffice.

Best way to find out if a particular product will work
in your environment is to try it out. Turn all detection
and state management off and then very carefully start
enabling things one by one to see how it performs. If
everything performs OK in a detection mode, then you can
start trying blocking traffic matching certain signatures,
again very carefully.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list