Penetration Testing mailing list archives

Re: IPS Comparison

From: "Vic N" <vic778 () hotmail com>
Date: Sat, 24 Dec 2005 18:47:55 -0800


Remember that an IPS is nothing more than a stateful inspection firewall
that also tries to match malicious patterns in the payload. With this in
mind, you are talking about being limited to detecting known attacks
only. So if your IPS vendor can get you a sig (or you can write one
yourself) faster than you can patch the vulnerability, there is value
add to having an IPS. If not, well, you are doing little more than
detecting and weeding out attacks that you are not vulnerable to
anyways. IMHO there are cheaper ways of getting this warm fuzzy and
feeling.

There is an exception to this, which is another approach that is taken
by some IPS vendors. This involves checking for indications of a
successful attack. For example a packet headed out to the Internet that
contains the string "C:\" could be considered suspicious and a possible
indication that an attack has breached the perimeter. Nice thing about
weeding these out is you have the potential to block 0-day because you
are detecting on the actual problem rather than just a symptom.

Mazunetworks.com has a nice IPS that does not use a signature-basedapproach. I've used their ddos solution before (enforcer) and have juststarted an eval on their profiler IPS system that seems to have some verynice capabilities.

One reason I decided to further evaluate this one is because of its abilityto give an extended view into internal network traffic, not just a "securityevent". It incorporates Cisco's netflow protocol and its own sensors toprovide baseline reporting on standard and unusual traffic patterns.... Soit looks like it's going to give me a chance to detect other trafficpatterns on internal segments that might be undesirable, like p2p or unusualIM traffic.




------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Re: IPS Comparison krishy_k (Dec 19)
- Re: IPS Comparison InfoSecBOFH (Dec 20)
- <Possible follow-ups>
- RE: IPS Comparison Josh Perrymon (Dec 20)
  - Message not available
    - Re: IPS Comparison Dave Bush (Dec 21)
    - Re: IPS Comparison Chris Brenton (Dec 22)
    - Re: IPS Comparison Vic N (Dec 24)
  - Re: IPS Comparison neal wise (Dec 21)
- RE: IPS Comparison Cojocea, Mike (IST) (Dec 20)
  - Re: IPS Comparison Brian Recore (Dec 27)
- RE: IPS Comparison Ryan Murphy (Dec 20)
- RE: IPS Comparison Todd Towles (Dec 20)
  - RE: IPS Comparison Talisker (Dec 21)
- RE: IPS Comparison Kyle Quest (Dec 23)