Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: newbie quetsions

from [THolman] Network Security [Permanent Link]
Subject: RE: newbie quetsions
Date: Fri, 14 Jan 2005 11:26:35 -0500 
When defining an IPS policy, you would define valid assets within your
network (eg HTTP servers, SMTP servers etc). 

You would then define an Acceptable Usage Policy (AUP) for each of these
services, so at L3 - how many TCP connections you should allow to each, what
rate of UDP packets you would allow and so forth ?

Then at L4-7 you would take deeper action on the packet content once they
have passed these basic tests - so, are HTTP packets RFC compliant ?  Do
their headers or payloads contain data that could exploit vulnerabilities ?

So - a true IPS will NEVER drop valid traffic as it has passed a series of
acceptable usage tests to ensure it is in no way malicious.

What you need to worry about is whether or not your AUP will ever let
through malicious traffic, rather than your IPS dropping valid traffic,
because if you've defined an AUP properly, then your IPS should NEVER drop
valid traffic.  

However, there are a number of IPS devices on the market that will break
AUPs under certain circumstances (usually heavy load) plus also drop valid
traffic - so be careful when choosing an IPS and make sure you ask your
potential IPS vendor exactly how they guarantee that AUPs are fully
resistant under ANY network conditions, and how they ensure that valid
traffic is NEVER dropped (ie 0% packet loss).

Hope this helps !

Regards,

Tim


-----Original Message-----
From: Stefano Zanero
To: Scruggs Stephen D SSgt AFWA/SCHS
Cc: Mike Paquette; focus-ids@securityfocus.com
Sent: 12/01/05 14:26
Subject: Re: newbie quetsions

Scruggs Stephen D SSgt AFWA/SCHS wrote:

Even if the
device has the latest and greatest features and would increase our

security

policy tenfold if we used it, if there was the slightest chance it

would

drop data, we would throw it out immediately.


What you mean, here, is that you will never, ever use an IPS on your 
network, since dropping data is exactly what the thing is used for...

Or perhaps what you mean is that you don't want to lose non-attack data 
(so, you are looking for zero-false-positive tools). Or perhaps what you

mean is that you don't want to lose packets due to full queues (so, you 
are looking for really fast algorithms). Or perhaps both.

In every case, there IS more than the "slightest chance" an IPS will 
drop data. It's a distinct possibility: it's what the device is used 
for. If the idea is "better not to drop attack packets, because letting 
through ALL legitimate packets is so important to us" then you should 
just look at other technologies.

Stefano

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ssl proxy doco for nids/nips (quick howto), auto27923
Next by Date:  Re: Specification-based Anomaly Detection, Stefano Zanero
Previous by Thread:  Re: newbie quetsions, Stefano Zanero
Next by Thread:  Re: newbie quetsions, Jarvett Lin
Indexes:  [Date] [Thread] [Top] [All Lists]