Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPS comparison

from [Daniel Cid] Network Security [Permanent Link]
Subject: Re: IPS comparison
Date: Sat, 30 Jul 2005 19:19:59 -0300 (ART) 
This is not the first time I hear about it.
TippingPoint does NOT detect 0-day vulnerabilities.
This "anomaly" detection will only detect 0-day
exploits for known vulnerabilities. If they do not
know about a vulnerability, there is no way their
"anomaly" detection system will detect anything. Btw,
most of the other IDS/IPS vendors create rules to
detect the vulnerability instead of the exploit.

Thanks,

--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com

--- Joey Peloquin <joeyp@cotse.net> escreveu:


Gregory D. McPhee wrote:


TippingPoint is signature based, catches want is

known to be bad.



 


I'm evaluating TippingPoint's device right now, and
that's not entirely 
true.  The only *static* signatures used are the AV,
Spyware, IM, and 
P2P filters.  Everything else is anomaly-based,
through the use of 
regex, and the vulnerabilities themselves.  This is
why TP claims the 
ability to stop so-called 0-day attacks.

In fact all vendors who claim the ability to stop
0-day attacks do so 
because they are supposed to be filtering on the
vulnerability, not an 
exploit signature, static packet anomaly, etc. 
Another characteristic 
of these devices is the fact that they do "deep
packet inspection", 
rather than a protcol decode and "best guess" based
on irregularities in 
the way it's supposed to function.

To the original poster, I'd suggest getting people
from the network and 
security side together (if it's not the same people)
and discuss *your* 
requirements in a device.  Come up with a list of
10-15 vendors (easily 
done with the wealth of information already posted
to the list), send 
out an RFI, and grade their responses against your
requirements.  Bring 
the top four in for their presentations, then select
the top two to go 
head-to-head.

The testing methodology you use with your finalists
would consist of a 
mish-mash of networking and security tests including
latency 
measurements, failover, blocking ability under 100%
utilization - while 
pushing an update, attacker | victim scenarios using
tools like 
metasploit and manual techniques-both with and
without load, and 
fragmented attacks using fragroute-with and without
load, etc.

Don't forget to get some live pcap captures from
your edge, too, so you 
get a peek at what you already know is out there ;)

Good Luck...Joey





        
        
                
_______________________________________________________ 
Yahoo! Acesso Grátis - Internet rápida e grátis. 
Instale o discador agora! http://br.acesso.yahoo.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  media streams recreation, Metal Gear
Next by Date:  RE: IPS comparison, Jarmon, Don R
Previous by Thread:  Re: IPS comparison, Joey Peloquin
Next by Thread:  Fw: IPS comparison, OguzTekeli
Indexes:  [Date] [Thread] [Top] [All Lists]