Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Threats to IDS/IPS deployments

from [Ron Gula] Network Security [Permanent Link]
Subject: Re: Threats to IDS/IPS deployments
Date: Thu, 31 May 2007 05:39:11 -0400 
leeahart05@aol.com wrote:

I'm performing a risk assessment for a commercial IPS deployment 
at my place of work. The scope of the assessment is limited to
how we implemented and deployed the product - not how the product
works. Some areas that I will be reviewing include authentication
and authorization to the sensors and management systems, backup of
data and configuration settings, hardening of the sensors/systems,
and best practices such as testing signatures prior to installation
into production. I apologize if this is the wrong place to post.
I'm looking for input from this list as to current threats against
IPS/IDS installations as well as other areas to review during
my assessment. Thanks!



Hi there,

I'd start with your commercial vendor and ask them if they have any
recommended guides for hardening the deployments.

After that:

- conduct a vulnerability scan of all sniffers, management consoles,
event collectors, .etc. Preferably perform these scans with credentials
so you can see if there are client-side issues.

- make sure you have a list of things your IPS depends on such as DNS
queries, web proxy settings, outbound ports which can't be blocked by
your firewall. The idea is to make sure some operational change does not
cause your IPS grief during some of its back-end processes.

- if you are running in IPS mode, I would test all new signatures in
alert only mode if possible rather than trying to duplicate your network
traffic in a lab. There are plenty of tools to replay traffic and
perform this sort of testing, but applications can potentially change on
your network without you knowing. I'd feel more comfortable running a
rule live for a few days prior to putting it into "block" mode.

- as for storage, the biggest mistake or issue I've seen arise is that
when disk or database space is low or slow, there is no alerting. If
your IT group can alert you when you are getting towards some level of
minimal hard disk space left, or if access drops below a certain
expected bandwidth, having this alert early on allows you to take action.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
http://blog.tenablesecurity.com
















------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Detecting covert data channels?, Jose Nazario
Next by Date:  RE: Threats to IDS/IPS deployments, Andy Cuff
Previous by Thread:  Threats to IDS/IPS deployments, leeahart05
Next by Thread:  RE: Threats to IDS/IPS deployments, Andy Cuff
Indexes:  [Date] [Thread] [Top] [All Lists]