Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISS - virtual patching

from [David Maynor] Network Security [Permanent Link]
Subject: Re: ISS - virtual patching
Date: Sat, 22 Jul 2006 09:29:28 -0400 
You are making some assumptions here:

1. You find out about the vuln the same time ISS does. Due to excellent
threat intelligent and a top notch Research and Development team they are
likely to know about the threat long before you do.

2. The fact that a security vendor actually has the ability to test traffic
in the wild is pretty impressive and should be considered the standard.
Protocols are updated all the time, traffic changes constantly, the only way
to make sure you are hitting the bad traffic and not blocking the good is
real world testing. Since I use to be in R&D at ISS there I will say 8 weeks
is a bit much, but the sig soak in periods are more than enough to shake
alot of false positives out.

On 11 Jul 2006 14:34:41 -0000, phb@gmail.com <phb@gmail.com> wrote: 
I was at an ISS event (but I guess it applies to all IPS vendors) where they 
said after a signature is written they QA it to prevent false positives, for 
about 8 weeks in the wild.

It sounded a little counter productive to the "virtual patching" claims, since 
that often means the protection comes in after I've already patched the system.

I agree I wouldn't deploy prevention prior to being sure it'll not cause a DoS 
to the network (or at all until this technology matures a little more), but 
with this attitude what is the IPS virtual patch hype all about?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  BASE 1.2.6 (christine) released, Kevin Johnson
Next by Date:  RE: ISS - virtual patching, Palmer, Paul (ISSAtlanta)
Previous by Thread:  ISS - virtual patching, phb
Next by Thread:  Re: ISS - virtual patching, Stefano Zanero
Indexes:  [Date] [Thread] [Top] [All Lists]