Penetration Testing mailing list archives
Re: IPS Comparison
From: "Vic N" <vic778 () hotmail com>
Date: Sat, 24 Dec 2005 18:47:55 -0800
Mazunetworks.com has a nice IPS that does not use a signature-based approach. I've used their ddos solution before (enforcer) and have just started an eval on their profiler IPS system that seems to have some very nice capabilities.Remember that an IPS is nothing more than a stateful inspection firewall that also tries to match malicious patterns in the payload. With this in mind, you are talking about being limited to detecting known attacks only. So if your IPS vendor can get you a sig (or you can write one yourself) faster than you can patch the vulnerability, there is value add to having an IPS. If not, well, you are doing little more than detecting and weeding out attacks that you are not vulnerable to anyways. IMHO there are cheaper ways of getting this warm fuzzy and feeling. There is an exception to this, which is another approach that is taken by some IPS vendors. This involves checking for indications of a successful attack. For example a packet headed out to the Internet that contains the string "C:\" could be considered suspicious and a possible indication that an attack has breached the perimeter. Nice thing about weeding these out is you have the potential to block 0-day because you are detecting on the actual problem rather than just a symptom.
One reason I decided to further evaluate this one is because of its ability to give an extended view into internal network traffic, not just a "security event". It incorporates Cisco's netflow protocol and its own sensors to provide baseline reporting on standard and unusual traffic patterns.... So it looks like it's going to give me a chance to detect other traffic patterns on internal segments that might be undesirable, like p2p or unusual IM traffic.
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: IPS Comparison krishy_k (Dec 19)
- Re: IPS Comparison InfoSecBOFH (Dec 20)
- <Possible follow-ups>
- RE: IPS Comparison Josh Perrymon (Dec 20)
- Message not available
- Re: IPS Comparison Dave Bush (Dec 21)
- Re: IPS Comparison Chris Brenton (Dec 22)
- Re: IPS Comparison Vic N (Dec 24)
- Message not available
- Re: IPS Comparison neal wise (Dec 21)
- Re: IPS Comparison Brian Recore (Dec 27)
- RE: IPS Comparison Talisker (Dec 21)