RE: Threats to IDS/IPS deployments

["Andy Cuff" <lists () securitywizardry com>]

Hi Leea,
Off the top of my head, a couple of other elements that we check on are:

1.      Inappropriate tuning - too much.  Where certain signatures are tuned
out that really shouldn't be, this could easily form an entire topic in it's
own right and is my pet hate. This could mean that a signature is disabled
entirely or the filtered addresses are too broad. My suggestion is for a
second set of eyes to validate the tuning within a defined period.

2.      Inappropriate tuning - too little.  Where the deployment hasn't been
tuned and the analysts cannot see the wood for the trees.

3.      Effective blocking.     Where IPS is deployed is blocking set
correctly i.e. not too strict so as to effect operations yet strict enough
to counter arising threats.

4.      Updatedness.  How up to date is the deployment and are the update
processes solid

5.      Sensor coverage.   Are there any gaps in coverage and does the
deployment complement a defence in depth solution

6.      Who and/or what is the weakest link

Good Luck
Andy Cuff
Computer Network Defence Ltd
www.SecurityWizardry.com


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of leeahart05 () aol com
> Sent: 30 May 2007 23:45
> To: focus-ids () securityfocus com
> Subject: Threats to IDS/IPS deployments
>
> I'm performing a risk assessment for a commercial IPS 
> deployment at my place of work. The scope of the assessment 
> is limited to how we implemented and deployed the product - 
> not how the product works. Some areas that I will be 
> reviewing include authentication and authorization to the 
> sensors and management systems, backup of data and 
> configuration settings, hardening of the sensors/systems, and 
> best practices such as testing signatures prior to 
> installation into production. I apologize if this is the 
> wrong place to post. I'm looking for input from this list as 
> to current threats against IPS/IDS installations as well as 
> other areas to review during my assessment. Thanks!
>
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world 
> attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.com/index.php5?module=Form&action=impa
> ct&campaign=intro_sfw
> to learn more.
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------