Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Wishlist for IPS Products

from [PS R] Network Security [Permanent Link]
Subject: Re: Wishlist for IPS Products
Date: Fri, 17 Sep 2004 13:37:26 -0400 
And what about blocking fragmented packets entirely.  I would argue
that this would be an acceptable config on many networks.

Jack


On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter@entrusion.com> wrote:

David,
Can you back your claim that IPS can easily be evaded by fragging
packets? Have you actually tested this or is it your guess?

-Tony




On Sep 12, 2004, at 12:29 AM, David Maynor wrote:


Yeah....I am gonna go ahead and disagree with you on some of these.


I have seen a lot of discussion about the differences between IDS,
IPS, and firewalls and the potential for convergence, but I do not
recall a discussion on the primary features that an IPS should have
out of the box.

I am thinking of:
- Flow Control - limitations on flooding, unused connections, etc...


Most of this should be handled by the signature base.


- Robust, ACURATE signature base


Only way to do this and not create tons of false postives is true
protocol parsing. This knocks out most IPS vendors like Tipping Point.


- Packet capture - no debate on how much before, as that has been
covered
- Pre-deployment network analysis tools to accelerate deployment
- Anomaly detection


Why? I have yet to see a system that is more than a parlor trick.
Anomaly based system are even easier to evade than sig based systems
that don't do protocol parsing.

What I would add is better tools for testing. Almost nobody grabs a
copy of Canvas from Immunity or Impact from Core and actually checks
what attacks are caught. Further more an even fewer number use modded
copies of public exploits to see if the claims made by vendors are
actually true. How many vendor's IPS implementation would actual catch
a MS03-026 exploit if you frag at the RPC layer at a size like 8
bytes?

-----------------------------------------------------------------------
---
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
-----------------------------------------------------------------------
---






--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: What is false alarm rate and false positive rate?, Zhuowei Li
Next by Date:  RE: IPS, alternative solutions, Murtland, Jerry
Previous by Thread:  Re: Wishlist for IPS Products, Tony Carter
Next by Thread:  Re: Wishlist for IPS Products, David Maynor
Indexes:  [Date] [Thread] [Top] [All Lists]