Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: location of an IPS

from [Seek Knowledge] Network Security [Permanent Link]
Subject: Re: location of an IPS
Date: Sat, 22 Oct 2005 01:41:16 +0100 (BST) 
Doug...
I faced a similar problem when I tested the UnityOne.
My observations below may help to clarify some of your
questions:
1) For infrastructure protection... put the IPS in
front of the firewall (internet-side).
2) Many events are by default configured as
notify-only, some are block+notify and some are
block-only.
3) The ones that are notify have different "levels" of
notifying. I can't remember exactly what they are
called but in essence some will show up as stats only,
and some will have full block details associated with
them.
4) TP swears that they are blocking the vulnerability
itself and thus LanGuard scans don't actually trip the
vulnerability. We never came to a consensus on this
one. The standard PHF string contains the basis of the
buffer overflow exploit no matter what you change in
the attack string... TP did not out of the box catch
it. Actually... I don't remember if it ever did stop
the PHF's that I threw at it. My sniffers on the other
side of UnityOne recorded the full attack and by
exploit went through untouched. I basically use the
PHF signature the same way the anti-virus world uses
the EICAR file... to test to make sure the anti-virus
is working. 

I hope someone from TP can help to clarify why they
think LanGuard doesn't give accurate results against
their product (i.e. is not detected) but other
products do detect it.

-Aseeker

--- Doug Fox <dfox168@hotmail.com> wrote:


I'm sorry for this dumb question, which may have
been answered many times.

Where should one place an TippingPoint Unity 50 IPS
device?  Behind or in 
front of a firewall?

I have a/the TippingPoint behind a Check Point
firewall. Even though we 
externally and internally port-scanned the firewall
and the IPS many times, 
the activity log did not contain any record of the
"attacks".

What am I missing here?  Any pointers are
appreciated.

Thanks,



------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to


http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.


------------------------------------------------------------------------






Send instant messages to your online friends http://uk.messenger.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: location of an IPS, ilaiy
Next by Date:  Vernier - Edgewall appliances?, infosecteam
Previous by Thread:  Re: location of an IPS, ilaiy
Next by Thread:  RE: location of an IPS, Gary Halleen (ghalleen)
Indexes:  [Date] [Thread] [Top] [All Lists]