IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Threats to IDS/IPS deployments

From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 31 May 2007 05:39:11 -0400
leeahart05 () aol com wrote:

I'm performing a risk assessment for a commercial IPS deployment 
at my place of work. The scope of the assessment is limited to
how we implemented and deployed the product - not how the product
works. Some areas that I will be reviewing include authentication
and authorization to the sensors and management systems, backup of
data and configuration settings, hardening of the sensors/systems,
and best practices such as testing signatures prior to installation
into production. I apologize if this is the wrong place to post.
I'm looking for input from this list as to current threats against
IPS/IDS installations as well as other areas to review during
my assessment. Thanks!



Hi there,

I'd start with your commercial vendor and ask them if they have any
recommended guides for hardening the deployments.

After that:

- conduct a vulnerability scan of all sniffers, management consoles,
event collectors, .etc. Preferably perform these scans with credentials
so you can see if there are client-side issues.

- make sure you have a list of things your IPS depends on such as DNS
queries, web proxy settings, outbound ports which can't be blocked by
your firewall. The idea is to make sure some operational change does not
cause your IPS grief during some of its back-end processes.

- if you are running in IPS mode, I would test all new signatures in
alert only mode if possible rather than trying to duplicate your network
traffic in a lab. There are plenty of tools to replay traffic and
perform this sort of testing, but applications can potentially change on
your network without you knowing. I'd feel more comfortable running a
rule live for a few days prior to putting it into "block" mode.

- as for storage, the biggest mistake or issue I've seen arise is that
when disk or database space is low or slow, there is no alerting. If
your IT group can alert you when you are getting towards some level of
minimal hard disk space left, or if access drops below a certain
expected bandwidth, having this alert early on allows you to take action.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
http://blog.tenablesecurity.com
















------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: