Educause Security Discussion mailing list archives
Re: IPS vulnerable to Spoofing
From: John Kemp <kemp () NETWORK-SERVICES UOREGON EDU>
Date: Thu, 16 Feb 2006 18:43:00 -0800
On Thursday 16 February 2006 17:52, Dave Huth wrote:
IPS systems detect attacks and react to stop the attack in real time. An in-line IPS will usually filter the attacking traffic. Out-of-band IPS systems usually reset the connection or insert a firewall rule to block the traffic. In either case (especially out-of-band) an attacker can spoof an IP address of a valuable service having the IPS react not on the attacker but on the valuable service. Has anyone done a risk assessment of out-of-band IPS with the spoof in mind? Dave Huth OIT Technical Services University of Utah
Most of the IPS's have exemption lists that the owner can create in order to guarantee that this kind of event does not happen. Most institutions also take anti-spoofing measures in their networks at the border for remote attacks and at each subnet interface internally to prevent local attacks by limitted checking of source IP addresses. -- John G. Kemp ( kemp () network-services uoregon edu ) http://security.uoregon.edu/ mailto:security () uoregon edu pgp:C9BE D1C4 9893 1A9E FF1A B354 77DE E6DC A3CA 7130
Current thread:
- IPS vulnerable to Spoofing Dave Huth (Feb 16)
- <Possible follow-ups>
- Re: IPS vulnerable to Spoofing John Kemp (Feb 16)
- Re: IPS vulnerable to Spoofing Valdis Kletnieks (Feb 17)
- Re: IPS vulnerable to Spoofing Valdis Kletnieks (Feb 17)