Educause Security Discussion mailing list archives
Re: IPS conference call
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 26 May 2010 15:16:39 -0500
I'd be interested in any v6 "weather reports" relevant to malware &c that people have, personally. Since I'm bothering the list about this, I'll offer back that my home 6in4 tunnelbroker network which I've run since 2004 or so has generally been *very* quiet. At least until software such as Vuze became v6-capable. I'm still able to log all v6 packets on my little network at the (PF) firewall and not seriously perturb my log system, so it's still pretty quiet out there. I have seen a little bit of unusual activity shortly after connection to torrents with a v6-capable application, but I'm not absolutely certain it isn't just random client braindamage. So, even if there's almost no background malware/scanning radiation, there's certainly the possibility for malicious systems on the v6 world to "discover" your existence and poke at you. This would be an additional leverage point for worm-scanning such as written about by Bellovin et al back in 2006 Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick. Worm propagation strategies in an IPv6 Internet. ;login:, pages 70-76, February 2006. http://www.cs.columbia.edu/~smb/papers/v6worms.pdf -jml
"Flynn, Gary" <flynngn () JMU EDU> 2010-05-26 14:45 >>>
Randy, What ipv6 attacks have your IPS units detected? Just curious as we're getting ready to upgrade our IPS for IPv6 capability and enable native IPv6 across the Internet border. Currently we're blocking IPv6 and allowing tunneling/transition protocols. We hope to reverse that. I saw a white paper from ISS or eEye 5-6 years ago about detected IPv6 attacks and IPv6 enabled malware but haven't seen anything recently. Thanks, gary On 5/26/10 3:22 PM, "randy marchany" <marchany () VT EDU> wrote: One question that needs to be asked in any IPS evaluation is does the device detect IPv6 attacks. I know a the majority of nets are not Ipv6 but that's not a reason to not have an IPS device be able to detect IPv6. -Randy Marchany VA Tech IT Security Office On Wed, May 26, 2010 at 2:40 PM, Brian Smith-Sweeney <bsmithsweeney () nyu edu> wrote: Hello all, I have seen the "what are your experiences with network intrusion prevention systems" question come up a few times in the 12-24 months, and thought I would offer to organize a conference call sometime in the next week or so to continue those discussions live. My goal would be to summarize key points from that conversation and reshare them out to this list. This is decidedly non-altruistic - NYU has recently (re)started an IPS evaluation project and would appreciate having access to such a summary. I think it would be particularly useful to discuss IPS evaluation in the context of the publicly available information from NSSLabs, Gartner, and ICSA, to see how that data stacks up against your experiences implementing IPS in a higher-ed environment. If you're interested in participating please send me a note (offline is fine), including which vendors you have experience with. In the unlikely event I get an overwhelming response and have to limit participation I will make an effort to ensure a range of experiences is represented. I'm working on some seed questions now which I'm happy to share if there's interest. Cheers, Brian -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Project Lead ITS Technology Security Services, New York University bsmithsweeney () nyu edu http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- IPS conference call Brian Smith-Sweeney (May 26)
- <Possible follow-ups>
- Re: IPS conference call randy marchany (May 26)
- Re: IPS conference call Jon Hanny (May 26)
- Re: IPS conference call Flynn, Gary (May 26)
- Re: IPS conference call John Ladwig (May 26)
- Re: IPS conference call Brian Smith-Sweeney (May 26)
- Re: IPS conference call randy marchany (May 26)