Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Intrusion Prevention requirements document -Apology

from [Talisker] Network Security [Permanent Link]
Subject: RE: Intrusion Prevention requirements document -Apology
Date: Tue, 8 Nov 2005 19:01:58 -0000 
Sorry, my last email managed to escape from my draft folder before I'd
finished, it was a long day!

My suggestion would be a compromise (no pun intended), test products on a
dev network and whittle down the contenders you will find showstoppers for
certain
Products that would eliminate them from further testing. I'd be cautious
about testing on a live network, however, I would suggest most strongly that
you do NOT purchase without having tried the product on a live network.  As
mentioned by others you can reduce the risk by deploying a passive policy.
Check out the false positive rate ensure that it is tolerable, but give the
product a fair chance and devote a great deal of time to tuning, a major
requirement is to be able to tune the IPS in an extremely granular fashion,
minimizing the reduction in sensitivity that tuning brings.

Hope this helps

Andy cuff 


VT,

Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://www.securitywizardry.com

07010 709014



-----Original Message-----
From: vendortrebuchet@comcast.net [mailto:vendortrebuchet@comcast.net]
Sent: 29 October 2005 20:40
To: focus-ids@securityfocus.com
Subject: Re: Intrusion Prevention requirements document

Another question for everyone,
When you brought in each vendor for evaluation, did you configure a test
network for them or did you use your production network?  My 1st concern
is  keeping my job :o)  If I test in production, I could impact

production

traffic.  If I don't test in production, how can I best ensure that I
won't have problems with custom applications, older IP stacks which

could

be an issue if RFC compliance checks are done, etc.
The vendor answer is always, "don't turn on blocking and just monitor."
Is that a reality?   I'd like some testimonials to this and some real

life

instances of what has been done from unbiased sources.

Thanks,

VT



All,

I work on a team that manages signature and behavioral based intrusion

detection

systems today.  We have been tasked with reviewing IPS (or whatever

vendor name

acronym you prefer) in '06.  Our normal process is to put together a

base

requirements document to weed out vendors in the first round through a

paper

exercise and then bring in the best we can identify.  My question is,

has

anyone developed a matrix that identifies key qualifiers in an IPS

solution

(e.g. in-line, fails open/closed, reporting features, etc.).  If so,

could you

provide links or the documents?

If not, what categories are most significant to consider in your

expert

opinions?  What reasons did you choose the solution you have?  What

would you

consider if you had to choose over again, etc?

Thanks in advance for your responses.

VT

----------------------------------------------------------------------

--

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-

ids_040708

to learn more.
----------------------------------------------------------------------

--




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Intrusion Prevention requirements document, FinAckSyn
Next by Date:  File-format based vulns - How do vendors detect them?, Joshua Russel
Previous by Thread:  RE: Intrusion Prevention requirements document, Andy Cuff
Next by Thread:  RE: Intrusion Prevention requirements document, vendortrebuchet
Indexes:  [Date] [Thread] [Top] [All Lists]