Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: adding another defence layer against viruses/worms

From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Wed, 25 Nov 2009 12:09:20 -0500
That’s always an issue with IDS/IPS
Sadly I don’t know any heuristic IDS/IPS, I know the overall purpose and
setup of these devices but I did not have the chance to play with any of
them yet.

sorry

 
Philippe Rivest - CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Verificateur interne - Securite de l'information

8585 Trans-Canada Highway, Suite 300
Saint-Laurent (Quebec) H4S 1Z6
Tel.: 514-331-4417   
Fax: 514-856-7541

http://www.transforce.ca/



-----Message d'origine-----
De : Juan B [mailto:juanbabi () yahoo com] 
Envoyé : 25 novembre 2009 11:55
À : boaz.shunami () rsa com; security-basics () securityfocus com; Rivest,
Philippe
Objet : RE: adding another defence layer against viruses/worms

Hi Philipe,

thanks for your respond !

the issue about heuristic IPS is that it will be in the lan so Im afraid of
a high volume of false positives ! 
which heuristic IPS would you suggest for this task?

thanks 

juan

--- On Wed, 11/25/09, Rivest, Philippe <PRivest () transforce ca> wrote:


From: Rivest, Philippe <PRivest () transforce ca>
Subject: RE: adding another defense layer against viruses/worms
To: boaz.shunami () rsa com, juanbabi () yahoo com,

security-basics () securityfocus com

Date: Wednesday, November 25, 2009, 11:31 AM
I believe your looking for a
Heuristic IPS, also called behavioral IPS.
Which will take a look at the activities going on your
network segment and
build a DB of normal activities (PLEASE ensure you are
virus, worm, hacker
and problem free..). When you decide your DB is big enough,
you stop it and
run all day-2-day activities against it. Any deviation will
be flagged as
unauthorized and action will be taken.

This will allow you to block new virus/worm while your AV
should detect
known threats. 

Understand that these solutions are technical and I would
suggest you get
help if you're not familiar with these technologies.


I like the solutions ob Boaz, especially network
segregation. Implementing
DMZ will contain (should) attacks.

You can also use 2 levels of AV. IE use TrendMicro for
network detection and
Mcafe for host AV. This will reduce the risk that if one
can't detect the
threat, maybe the other can.

Id also suggests using network proxies. If you break the
client-server
communication, you might be able to scan your packets
deeper and detect
attacks before they are sent to the client.

Hope this helps :)

 
Philippe Rivest - CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Verificateur interne - Securite de l'information

8585 Trans-Canada Highway, Suite 300
Saint-Laurent (Quebec) H4S 1Z6
Tel.: 514-331-4417   
Fax: 514-856-7541

http://www.transforce.ca/



-----Message d'origine-----
De : listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
De
la part de boaz.shunami () rsa com
Envoyé : 25 novembre 2009 02:08
À : juanbabi () yahoo com;
security-basics () securityfocus com
Objet : RE: adding another defence layer against
viruses/worms

Hi Juan,

I would advise your Client to either:

1. Have solid policy as to what sites are accessible/are
not accessible
from his branches (can be enforced with bluecoat and the
like...)
2. Segregate the network the branches have access to (kind
of DMZ) from
his LAN using FW.
3. Give low level permissions to the branches on the core.

My 2c...

Thanks,
 
Boaz

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Juan B
Sent: Tuesday, November 24, 2009 4:04 PM
To: security-basics () securityfocus com
Subject: adding another defence layer against
viruses/worms

Hi all,

I'm doing some security consulting for a client. this
client have around
30 remote branches connected to his core. the problem is
that sometimes
the AV fails to detect new viruses/worms coming from those
branches so
those viruses/worms mess up his LAN.another problem is that
the the
client doesn't have much of control over the remote PCs in
the branches.
so I thought about adding another layer of defence in which
we will add
an IPS (which Ips detects also viruses/worms??) which will
filter and
scan all traffic coming from the branches.

I just wonder if you guys agree with my suggestion.

any comments will be welcomed.

BTW,

any recomendations for the IPS?

thanks a lot 
juan


      

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and
who needs an
SSL certificate.  We look at how SSL works, how it
benefits your company
and how your customers can tell if a site is secure. You
will find out
how to test, purchase, install and use a thawte Digital
Certificate on
your Apache web server. Throughout, best practices for
set-up are
highlighted to help you ensure efficient ongoing management
of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and
who needs an SSL
certificate.  We look at how SSL works, how it
benefits your company and how
your customers can tell if a site is secure. You will find
out how to test,
purchase, install and use a thawte Digital Certificate on
your Apache web
server. Throughout, best practices for set-up are
highlighted to help you
ensure efficient ongoing management of your encryption keys
and digital
certificates.



http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727

d1
------------------------------------------------------------------------

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: