IDS/IPS in firewall

I would like to suggest that Comodo Firewall / Comodo Internet Security incorporate a snort like IDS/IPS system that monitors web traffic going to the device for known attacks. An IPS option could be present to block attacks also rather than just alerting to them.

The IDS/IPS system could also monitor outgoing data too for traffic characteristic of malware/APT’s, such as beaconing, phoning home, communication to known C2 servers/botnets, etc.

A HIPS is already present when using the Proactive Security configuration. Comodo promised that this year will bring noticeable development for Viruscope behaviour blocker. In CCAV a Viruscope recogniser is able of catching keyloggers. Who know what Viruscope may bring.

I think richard means IDS/IPS as in network packets inspection rather than the type of HIPS CIS is already using. I don’t think HIPS monitors network packets at all(?) and wonder if Viruscope would analyze the network packets(?), IDS/IPS is more the job of the network firewall.

There may be some Babylonic confusion on what is what here. 88) I went to Wikipedia which states:

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. NIDS is a network security system focusing on the attacks that come from the inside of the network (authorized users). Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
IDS can be apparently both Network based and host based.

But then the Wikipedia article about IPS states:

It has been suggested that Intrusion detection system be merged into this article. (Discuss) Proposed since April 2013.
Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.[1]

Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected.[2]:273[3]:289 More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.[4] An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.

Yuck, too much language that overlaps… :wink:

All I do know is that the network based IDS functions from CIS were removed years ago. Let’s see what might slip back in through the door or Viruscope.

They have this sitting at the gateway level with Comodo’s Korugan product. This is based off SNORT and other floss software packages along side some of their own proprietary software.