Understanding IPS
Updated: 17 May 2011 | 4 comments
This issue has been solved. See solution.
Could someone give me a high level overview of IPS.
I know what it is intended to do and we have experienced our machines being locked out of the network due to IPS.
However, what is not clear is
How does each client get the signal to lock down, or do they see the attack and lock down themselves?
How does each client decide when to unlock or again is there a signal sent from the SEP server?
Many thanks
Adrian
Discussion Filed Under:
Comments
It will not lock
It will not lock itself..however it blocks the connection to and from the attacking machine for 30mins by default.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
2 Articles to Explain.
Hello,
The Symantec IPS signatures use a stream-based engine that scans multiple packets. Symantec IPS signatures intercept network data at the session layer and capture segments of the messages that are passed back and forth between an application and the network stack.
The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The IPS is a network-based system that operates on every computer on which the client is installed and the intrusion prevention system is enabled. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.
The intrusion prevention system scans each packet that enters and exits computers in the network for attack signatures. Attack signatures are the packet sequences that identify an attacker's attempt to exploit a known operating system or program vulnerability.
If the information matches a known attack, the IPS automatically discards the packet. The IPS can also sever the connection with the computer that sent the data for a specified amount of time. This feature is called active response, and it protects computers on your network from being affected in any way.
The client includes the following types of IPS engines that identify attack signatures.
Symantec IPS signatures - The Symantec IPS signatures use a stream-based engine that scans multiple packets. Symantec IPS signatures intercept network data at the session layer and capture segments of the messages that are passed back and forth between an application and the network stack.
Custom IPS signatures - The custom IPS signatures use a packet-based engine that scans each packet individually.
Here are 2 articles which may also assist you:
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
How does each client get the
How does each client get the signal to lock down, or do they see the attack and lock down themselves?
Answer:
The client been attacked (Target-the one having SEP-IPS installed) will not lock down, but the client (ip address) that has attacked(source) will be locked down.
How does each client decide when to unlock or again is there a signal sent from the SEP server?
Answer:
The source ip address is blocked by the target( SEP-IPS) for 10 minutes. This is configured in SEPM, and this feature is known as Active response.
-VKalani
Be careful with using block
Be careful with using block attacks Setting in IPS when behind a proxy server. We found out the hard way. When an attack occurs from the web behind a proxy the proxy server ends up being blocked automatically. This is not good when using a long time period like the default settings. As a work around we changed the time to 10 seconds but I've put in a feature request to allow better contol of exclusions so you can enter exclusions for the block attacker setting. Not sure if it will ever get implemented but I'm hoping it does
Would you like to reply?
Login or Register to post your comment.