Hi,
I worked on different tests on different NIPS technologies. IMHO the
NIPS testing falls in the the common field of Firewall and IDS test,
or I prefer to say it's a level 7 firewall test.
The test is strictly related to your network environment, and should measure:
- Functionalities: how the NIPS performs its job, ie if it detects
attacks, and how it protect your network from them;
- Performance: how the NIPS to its job in stress conditions
(throughput, connectioons per second, application transaction per
second, latency, etc. etc.);
- HA: how the NIPS service is always available (which lavels of HA they have);
- Management: how is easy to manage the system, and which informations
you get from them;
- Security: how the NIPS is strong, ie how it resists on attacks
direct to itself, or how it resists to bad traffic
Your best starting points are RFC 3511, and OSEC (http://osec.neohapsis.com).
I suggest you to capture your network traffic using a sniffer, for 2-3
days, and then use a traffic generator like Spirent Web
Avalanche/Reflector to replay it, adding also crafted traffic
(Avalanche is able to create HTTP, SMTP, POP3, DNS, RTSP, Telnet,
etc.etc.), and injected well known attacks using Blade IDS Informer,
to perform the tests.
Pay great attention on the bugs that the NIPS could have (above all in
load condition)!
You can do that also using black box testing tools.
- gian
On 9 Oct 2004 21:40:47 -0000, hakked@yahoo.com <hakked@yahoo.com> wrote:
New to IPS arena and am looking for a documented standard or method for
testing IPS technologies in parallel. Have a suite of test tools (nessus, IDS
Reformer, metasploit, etc.), and we are able to test the NIDS tools fairly
well off a hub, however I'm now concentrating on how to setup the network to
be able to test the IPS's in parallel at the same time. This will be an
ongoing research project.
-j
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
--
_____
Ing. Gianpiero Porchia
Security Consultant
ATS - Advanced Telecom Systems S.p.A.
Designing, Testing, Managing Network Quality
Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
