IDS mailing list archives
RE: Threats to IDS/IPS deployments
From: "Andy Cuff" <lists () securitywizardry com>
Date: Thu, 31 May 2007 12:50:59 +0100
Hi Leea, Off the top of my head, a couple of other elements that we check on are: 1. Inappropriate tuning - too much. Where certain signatures are tuned out that really shouldn't be, this could easily form an entire topic in it's own right and is my pet hate. This could mean that a signature is disabled entirely or the filtered addresses are too broad. My suggestion is for a second set of eyes to validate the tuning within a defined period. 2. Inappropriate tuning - too little. Where the deployment hasn't been tuned and the analysts cannot see the wood for the trees. 3. Effective blocking. Where IPS is deployed is blocking set correctly i.e. not too strict so as to effect operations yet strict enough to counter arising threats. 4. Updatedness. How up to date is the deployment and are the update processes solid 5. Sensor coverage. Are there any gaps in coverage and does the deployment complement a defence in depth solution 6. Who and/or what is the weakest link Good Luck Andy Cuff Computer Network Defence Ltd www.SecurityWizardry.com
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of leeahart05 () aol com Sent: 30 May 2007 23:45 To: focus-ids () securityfocus com Subject: Threats to IDS/IPS deployments I'm performing a risk assessment for a commercial IPS deployment at my place of work. The scope of the assessment is limited to how we implemented and deployed the product - not how the product works. Some areas that I will be reviewing include authentication and authorization to the sensors and management systems, backup of data and configuration settings, hardening of the sensors/systems, and best practices such as testing signatures prior to installation into production. I apologize if this is the wrong place to post. I'm looking for input from this list as to current threats against IPS/IDS installations as well as other areas to review during my assessment. Thanks! -------------------------------------------------------------- ---------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impa ct&campaign=intro_sfw to learn more. -------------------------------------------------------------- ----------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Threats to IDS/IPS deployments leeahart05 (May 30)
- Re: Threats to IDS/IPS deployments Ron Gula (May 31)
- <Possible follow-ups>
- RE: Threats to IDS/IPS deployments Andy Cuff (May 31)