IDS mailing list archives

RE: Intrusion Prevention requirements document -Apology

From: "Talisker" <lists () securitywizardry com>
Date: Tue, 8 Nov 2005 19:01:58 -0000

Sorry, my last email managed to escape from my draft folder before I'd
finished, it was a long day!

My suggestion would be a compromise (no pun intended), test products on a
dev network and whittle down the contenders you will find showstoppers for
certain
Products that would eliminate them from further testing. I'd be cautious
about testing on a live network, however, I would suggest most strongly that
you do NOT purchase without having tried the product on a live network.  As
mentioned by others you can reduce the risk by deploying a passive policy.
Check out the false positive rate ensure that it is tolerable, but give the
product a fair chance and devote a great deal of time to tuning, a major
requirement is to be able to tune the IPS in an extremely granular fashion,
minimizing the reduction in sensitivity that tuning brings.

Hope this helps

Andy cuff

VT,

Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://www.securitywizardry.com

07010 709014

-----Original Message-----
From: vendortrebuchet () comcast net [mailto:vendortrebuchet () comcast net]
Sent: 29 October 2005 20:40
To: focus-ids () securityfocus com
Subject: Re: Intrusion Prevention requirements document

Another question for everyone,
When you brought in each vendor for evaluation, did you configure a test
network for them or did you use your production network?  My 1st concern
is  keeping my job :o)  If I test in production, I could impact

production

traffic.  If I don't test in production, how can I best ensure that I
won't have problems with custom applications, older IP stacks which

could

be an issue if RFC compliance checks are done, etc.
The vendor answer is always, "don't turn on blocking and just monitor."
Is that a reality?   I'd like some testimonials to this and some real

life

instances of what has been done from unbiased sources.

Thanks,

VT

All,

I work on a team that manages signature and behavioral based intrusion

detection

systems today.  We have been tasked with reviewing IPS (or whatever

vendor name

acronym you prefer) in '06.  Our normal process is to put together a

base

requirements document to weed out vendors in the first round through a

paper

exercise and then bring in the best we can identify.  My question is,

has

anyone developed a matrix that identifies key qualifiers in an IPS

solution

(e.g. in-line, fails open/closed, reporting features, etc.).  If so,

could you

provide links or the documents?

If not, what categories are most significant to consider in your

expert

opinions?  What reasons did you choose the solution you have?  What

would you

consider if you had to choose over again, etc?

Thanks in advance for your responses.

VT

----------------------------------------------------------------------

--

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-

ids_040708

to learn more.
----------------------------------------------------------------------

--


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Intrusion Prevention requirements document vendortrebuchet (Nov 03)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 07)
- RE: Intrusion Prevention requirements document Andy Cuff (Nov 08)
  - RE: Intrusion Prevention requirements document -Apology Talisker (Nov 09)
- <Possible follow-ups>
- RE: Intrusion Prevention requirements document Arun Vishwanathan (Nov 07)
  - RE: Intrusion Prevention requirements document FinAckSyn (Nov 09)
    - RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
    - Re: Intrusion Prevention requirements document Mike Frantzen (Nov 14)
    - Re: Intrusion Prevention requirements document Bob Walder (Nov 10)
- RE: Intrusion Prevention requirements document vendortrebuchet (Nov 07)
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 10)
- RE: Intrusion Prevention requirements document Chris Ralph (Nov 14)
  - Re: Intrusion Prevention requirements document ADT (Nov 16)