Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Threats to IDS/IPS deployments

from [thaywood] Network Security [Permanent Link]
Subject: Re: Threats to IDS/IPS deployments
Date: 31 May 2007 14:34:06 -0000 
Leea, 

Your post raises an interesting topic, how often do users perform an assessment 
of their key security defenses to prove that they perform operationally as 
described in the marketing materials, my bet is not that often in reality. 

I have worked in the security market space for the last 15 years and during 
that time have seen many end users want to but not really know how to test 
their security defenses. You spend a lot of money on these systems, then many 
times users put their faith that the product is working as advertised without 
realy being able to prove it or having the necessary tools to help. 

One regular post to this list is "can I use a vulnerability scanner to test my 
IDS/IPS", the answer is generally no as they are not designed for that purpose. 

There are a number of things that you should really look at when testing an IDS 
or IPS system and one of the most important things is just how useable is it? 

If the worst happens and some kind of attack is picked up does the management 
console become unusable due to the scale and volume of alerts? (I've seen many 
deployments where a slight burst in activity can make the management system 
become a monster and un useable) 

How easy is it to spot if a sensor has gone off line? (I've seen many occasions 
when acording to the management console the sensor is working fine and active 
but in reality somehow it has "gone to sleep" and is not picking up anything.  

There are a number of resources out there to help you 

http://www.karalon.com/products.htm

The Tolly Group also published a whitepaper on IPS testing and benchmarking you 
may find intresting. 

http://www.tolly.com/ts/2006/TollyEdge/IPS-Wired/TollyWP206115TollyEdgeIPS-Wired-May2006.pdf

Regards
Tony 


Tony Haywood 
CTO
www.karalon.com 
Audit, Test, Prove & Validate 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  HIDS for Windows, Windowsmobile and Symbian., Hans Gartemann
Next by Thread:  Re: Threats to IDS/IPS deployments, dcdave
Indexes:  [Date] [Thread] [Top] [All Lists]