IDS mailing list archives
Re: Threats to IDS/IPS deployments
From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 31 May 2007 05:39:11 -0400
leeahart05 () aol com wrote:
I'm performing a risk assessment for a commercial IPS deployment at my place of work. The scope of the assessment is limited to how we implemented and deployed the product - not how the product works. Some areas that I will be reviewing include authentication and authorization to the sensors and management systems, backup of data and configuration settings, hardening of the sensors/systems, and best practices such as testing signatures prior to installation into production. I apologize if this is the wrong place to post. I'm looking for input from this list as to current threats against IPS/IDS installations as well as other areas to review during my assessment. Thanks!
Hi there, I'd start with your commercial vendor and ask them if they have any recommended guides for hardening the deployments. After that: - conduct a vulnerability scan of all sniffers, management consoles, event collectors, .etc. Preferably perform these scans with credentials so you can see if there are client-side issues. - make sure you have a list of things your IPS depends on such as DNS queries, web proxy settings, outbound ports which can't be blocked by your firewall. The idea is to make sure some operational change does not cause your IPS grief during some of its back-end processes. - if you are running in IPS mode, I would test all new signatures in alert only mode if possible rather than trying to duplicate your network traffic in a lab. There are plenty of tools to replay traffic and perform this sort of testing, but applications can potentially change on your network without you knowing. I'd feel more comfortable running a rule live for a few days prior to putting it into "block" mode. - as for storage, the biggest mistake or issue I've seen arise is that when disk or database space is low or slow, there is no alerting. If your IT group can alert you when you are getting towards some level of minimal hard disk space left, or if access drops below a certain expected bandwidth, having this alert early on allows you to take action. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com http://blog.tenablesecurity.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Threats to IDS/IPS deployments leeahart05 (May 30)
- Re: Threats to IDS/IPS deployments Ron Gula (May 31)
- <Possible follow-ups>
- RE: Threats to IDS/IPS deployments Andy Cuff (May 31)