Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS vs. IPS deployment feedback

from [Stefano Zanero] Network Security [Permanent Link]
Subject: Re: IDS vs. IPS deployment feedback
Date: Thu, 13 Apr 2006 19:27:51 +0200 
Andrew Plato wrote:


experience. Dropped packets happen when people try to ram 1000mbps
through an IPS rated at 200Mbps. 


Really ?

And how is the thing "rated" in the first place ?

Throughput depends on service time. Service time in a router is of very
limited variability, in a firewall may very, in a complex thing such as
an IDS/IPS it varies wildly, depending on the traffic mix. So, you
should specify WHAT TRAFFIC the IPS is being validated and measured on.
Something that most companies won't do.


They simply do not have the time or resources to baby an IDS and perform
intricate security analysis. 


And so they have the resources to put in-line an unknown device which
needs tuning and which could cut off, accidentally, customers from
revenue generating services ?


And complex IDSs that generate 10000s
of alerts and stop nothing are quickly ignored when the staff gets busy.


Instead, when each of those false alerts turns into a lost customer, no
one complains. That's right :)


This is just false. Firewalls and IPS assume much different things. A
firewall is a static set of rules that say what is allowed and what is
not allowed. That's it. 


A misuse-based IPS is exactly the same thing. There's actually no
difference.


An IPS, on the other hand, lets everything through unless it does
something that it knows is bad. 


Aha ! GREEEEEEEEEAT IDEA !

One of the BESTEST in computer security !

BLACKLISTING !

Slide 1 of "Perimeter security 101" course: always begin from default
deny and WHITELIST. Look it up on the CISSP books, Andrew, it's in there
somewhere, I'm sure :)


that is exactly what and IPS does. It can look at a stream and say: "its
HIGHLY unlikely that this gargantuan binary package in the middle of a
ISAPI call is normal, so I am going to block it." 


This is what a good anomaly based, intelligent IPS would do.
Unfortunately, there's a shortage of good anomaly based IPS products out
there :)

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS vs. IPS deployment feedback, Paul Schmehl
Next by Date:  RE: IPS false negatives, Biswas, Proneet
Previous by Thread:  Re: IDS vs. IPS deployment feedback, Will Metcalf
Next by Thread:  RE: IDS vs. IPS deployment feedback, Basgen, Brian
Indexes:  [Date] [Thread] [Top] [All Lists]