[unisog] IPS

Michael Holstein michael.holstein at csuohio.edu
Wed Feb 9 22:16:47 GMT 2005

> I don't see how you can filter packets with spoofed *source* addresses
> that are generated outside your network unless the addresses are your
> own.

The trick when doing IPS spoofing is to send packets through the device 
that have a SOURCE on your network -- because the objective is to make 
the IPS think an attack is comming from something important and then 
block it (thus creating a DOS against that device).

Simple packet filters can't do this (well they could, but one wouldn't 
want reflexive ACLs on your Internet router) but firewalls can do it 
reasonably well.

IPS is just one more piece of "defense in depth". Despite whatever the 
salesperson tells you, installing 1, 10 or 100 of their ultra-whiz-bang 
appliances won't prevent 100% of the attacks.

(my $0.02).


More information about the unisog mailing list