Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IPS, alternative solutions

from [Stuart Staniford] Network Security [Permanent Link]
Subject: RE: IPS, alternative solutions
Date: Wed, 29 Sep 2004 15:42:33 -0700 

Jason wrote:


It is unfortunate that none of the potential advancements you are 
referring to are commercially viable today. Should one go 
looking at the 
inline technology available which implements some form of non 
signature 
based detection they would find a product set that barely achieves 
accurate rate based detection and is still only relative to a single 
sensing point. 


I don't believe this.  For a company that has a current product specifically
focused on worm containment that seems to understand the issues reasonably
well, look at ForeScout

http://www.forescout.com

However, I believe it's quite possible to use broader-featured IPS's in a
similar mode, if not with quite the same slickness and sensitivity.
Anything that can identify and block a portscan can be used to contain
scanning worms.  An IPS that cannot block a portscan after the first 10-20
scans is not worth the name, but I'm sure most of the major commercial
players can do that.  After that, containing current generation zero-day
worms means understanding that the network must be broken up into zones
separated by IPS's, that it works outbound not inbound (ie you have to
contain the worm to the zone where it got started, not try to prevent it
getting into some zone (which is much harder), and that your ultimate
protection is limited by the sensitivity of the IPS (how many scans it lets
by before it blocks), and the vulnerability density on the network.  If 50%
of the addresses in your class B have the same codebase on the same service
turned on, and they are all mutually visible, no IPS can save you from a
zero-day scanning worm.  But there's no reason your internal firewalls have
to be *that* loose.

Not to say this is the end of the story -- the worms will evolve sneakier
spread strategies -- but it's perfectly possible to contain current worm
spread algorithms with currently available technology, even if the
underlying vulnerability is completely unknown at the time of worm release.

Stuart.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort, Jose Maria Lopez
Next by Date:  Re: Snort, vvaduva
Previous by Thread:  Re: IPS, alternative solutions, Maarten Van Horenbeeck
Next by Thread:  What is false alarm rate and false positive rate?, Zhuowei Li
Indexes:  [Date] [Thread] [Top] [All Lists]