Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ICSA Labs Network IPS Testing

from [Stefano Zanero] Network Security [Permanent Link]
Subject: Re: ICSA Labs Network IPS Testing
Date: Tue, 04 Dec 2007 22:32:37 +0100 
Hi, didn't mean to interfere in your ongoing flame, but:


IPS certification testing, I thought I ought to correct some misleading
information 


Oh, good, let's see! You don't mind if instead of going through your
whitepapers I just use your own email as a source, right?


IPS certification testing program.  The truth is that we do not "pick
specific attacks and say that you must block these." 


That's wonderful to hear. So, what do you do instead?


provides coverage protection for all attacks targeting an evolving set
of medium-to-high severity vulnerabilities that we and a consortium of
15 network IPS vendors
(http://www.icsalabs.com/icsa/topic.php?tid=6a87$5813f3e2-37b77ee3$3b4a-
f1d4a32d) believe are relevant to enterprise end users.


So, you pick specific attacks (which are a snapshot of a set of
vulnerabilities that you + the tested vendors believe are relevant) and
say "you must block these", right ?

This seems exactly the same sentence that Joel posted, only a bit more
elaborate :)

And just to shoot another shot in the dead horse of IDPS testing,
testing MISUSE based detectors (as most IPS are) on "detection rate" is
pointless. Testing them on coverage is tricky at best, and does not
really provide any useful insight at all on IPS where (as Joel pointed
out) having 60k signatures instead of 30k does not really mean anything.

Oh, and on a side note:


 a) is in no position to speak authoritatively about ICSA Labs network
IPS testing,


The sheer fact that someone is "in no position to speak" about your
tests means that your tests are lacking. If a test is properly
documented and scientific, everybody is in a position to speak about it.

In the particular case of Joel Snyder, who has been doing excellent
tests for a long time, I'd say he is in a particularly good position to
comment.

If this email sounds harsh, well, it is. I just don't like people
commenting AGAINST other people, instead than pointing out the specific
flaws in their posts.

Best,
Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ICSA Labs Network IPS Testing, Walsh, John (Jack)
Next by Date:  Re: IPS in the Enterprise UTM Firewall testing results, Joel M Snyder
Previous by Thread:  ICSA Labs Network IPS Testing, Walsh, John (Jack)
Next by Thread:  Re: ICSA Labs Network IPS Testing, Rahul K
Indexes:  [Date] [Thread] [Top] [All Lists]