On Fri, 2002-04-12 at 14:37, Toby wrote: > Yes, but ZoneAlarm is NOT an IDS. It is a firewall with some other > abilities because it is on a host. Run IIS on two systems- load blackICE on > one, load ZoneAlarm on the other. Configure them both to be as secure as > possible while allowing HTTP access to port 80. Then run CodeRed (if you've > got a copy, or else some other attack if you don't) against them. See which > one blocks it- BI will. ZA will not. One is an IDS and watches the traffic. > One is a firewall and controls access. IDS allows for the need for > untrusted traffic/apps. Firewalls don't. > Ummmmmmmmmmmmmm. Isn't really the difference between packet filtering and content/protocol filtering (you might make an argument about state too, but both are allowing connections)? What does examining the protocol make BlackICE and IDS? I would consider it an IDS based on a number of other things it is doing,. like watching the network traffic, and its 'type' of reaction. I've always considered IDS to mean "another" device, i.e. one that is not part of the network flow (a separate box) much like tripwire is not the file server, it is a process watching it. In that vein, I might say BlackICE has an IDS component that is watching the traffic content/protocol. -- Zot O'Connor http://www.ZotConsulting.com http://www.WhiteKnightHackers.com
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:36 PDT