Re: IPS conference call

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I'd be interested in any v6 "weather reports" relevant to malware &c that people have, personally.

Since I'm bothering the list about this, I'll offer back that my home 6in4 tunnelbroker network which I've run since 
2004 or so has generally been *very* quiet.  At least until software such as Vuze became v6-capable.  I'm still able to 
log all v6 packets on my little network at the (PF) firewall and not seriously perturb my log system, so it's still 
pretty  quiet out there.  I have seen a little bit of  unusual activity shortly after connection to torrents with a 
v6-capable application, but I'm not absolutely certain it isn't just random client braindamage.

So, even if there's almost no background malware/scanning radiation, there's certainly the possibility for malicious 
systems on the v6 world to "discover" your existence and poke at you.  This would be an additional leverage point for 
worm-scanning such as written about by Bellovin et al back in 2006

Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick. Worm propagation strategies in an IPv6 Internet. ;login:, 
pages 70-76, February 2006. http://www.cs.columbia.edu/~smb/papers/v6worms.pdf


   -jml

> > > "Flynn, Gary" <flynngn () JMU EDU> 2010-05-26 14:45 >>>
Randy,

What ipv6 attacks have your IPS units detected? Just curious as we're getting ready to upgrade our IPS for IPv6 
capability and enable native IPv6 across the Internet border. Currently we're blocking IPv6 and allowing 
tunneling/transition protocols. We hope to reverse that.

I saw a white paper from ISS or eEye 5-6 years ago about detected IPv6 attacks and IPv6 enabled malware but haven't 
seen anything recently.

Thanks,
gary


On 5/26/10 3:22 PM, "randy marchany" <marchany () VT EDU> wrote:

One question that needs to be asked in any IPS evaluation is does the device detect IPv6 attacks. I know a the majority 
of nets are not Ipv6 but that's not a reason to not have an IPS device be able to detect IPv6.

-Randy Marchany
VA Tech IT Security Office

On Wed, May 26, 2010 at 2:40 PM, Brian Smith-Sweeney <bsmithsweeney () nyu edu> wrote:
Hello all,

I have seen the "what are your experiences with network intrusion
prevention systems" question come up a few times in the 12-24 months,
and thought I would offer to organize a conference call sometime in the
next week or so to continue those discussions live.  My goal would be to
summarize key points from that conversation and reshare them out to this
list.  This is decidedly non-altruistic - NYU has recently (re)started
an IPS evaluation project and would appreciate having access to such a
summary.

I think it would be particularly useful to discuss IPS evaluation in the
context of the publicly available information from NSSLabs, Gartner, and
ICSA, to see how that data stacks up against your experiences
implementing IPS in a higher-ed environment.

If you're interested in participating please send me a note (offline is
fine), including which vendors you have experience with. In the unlikely
event I get an overwhelming response and have to limit participation I
will make an effort to ensure a range of experiences is represented.

I'm working on some seed questions now which I'm happy to share if
there's interest.

Cheers,
Brian

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney                      Project Lead
ITS Technology Security Services, New York University
bsmithsweeney () nyu edu 
http://www.nyu.edu/its/security 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~