There are many parameters involved for bringing up
such situation.
1. Firstly, yes Signature QA testing might have
skipped or problems found during testing might have
been ignored due to severity of threat for which the
signatures were created in that release.
2. Testing might have happened on different product
from the one which you are using. Coz when
signature(s) for a newly discovered critical
vulnerability are added and due to pressure of
deilvering the signature pack super fast, its not
always feasible to test same signature pack against
20different products/versions.
3. Vendor might have used different test environment
for testing. For example, vendors might have tested
the signature pack by configuring a dummy network on
IDS/IPS running 2-3domains. But in live environment
you might have few 100s of different domains
configured.
4. Vendor might have tested the signatures just for
accuracy/syntax/working/attack blocking and might have
skipped the performance testing of IPS after including
new signatures with older set.
There could be many more reasons....And its not the
case of "xxx" vendor, these problems can be with any
IPS vendor. But ofcourse its a serious problem and
vendors should pay high attention to QA rather than
increasing the signature count. Coz no one would like
to make his/her machine secure by plugging out the
network cable.
-Dhruv
--- David Williams <dwilliamsd@gmail.com> wrote:
I'm evaluating a Tipping Point box and after
gettting the latest
signatures I'm having problems with the box
"crashing". My goal is
not to bash Tipping Point, but instead to gather
information on how
often people have seen this type of thing among IPS
boxes.
Is there a trend with vendors to roll out signatures
as fast as
possible without proper QA? This brings up a lot of
questions about
deploying IPS. I want two opposite things from my
vendors: 1) I want
the latest signatures super fast. 2) I want proper
QA so that it
doesn't bring down my network. I realize those two
things are
contradictory, but I thought I'd throw it out there
to see if anybody
had any thoughts.
thanks,
d
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
