Penetration Testing mailing list archives

Re: IPS comparison

From: Daniel Cid <danielcid () yahoo com br>
Date: Sat, 30 Jul 2005 19:19:59 -0300 (ART)

This is not the first time I hear about it.
TippingPoint does NOT detect 0-day vulnerabilities.
This "anomaly" detection will only detect 0-day
exploits for known vulnerabilities. If they do not
know about a vulnerability, there is no way their
"anomaly" detection system will detect anything. Btw,
most of the other IDS/IPS vendors create rules to
detect the vulnerability instead of the exploit.

Thanks,

--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com

--- Joey Peloquin <joeyp () cotse net> escreveu:

Gregory D. McPhee wrote:

TippingPoint is signature based, catches want is

known to be bad.

 

I'm evaluating TippingPoint's device right now, and
that's not entirely 
true.  The only *static* signatures used are the AV,
Spyware, IM, and 
P2P filters.  Everything else is anomaly-based,
through the use of 
regex, and the vulnerabilities themselves.  This is
why TP claims the 
ability to stop so-called 0-day attacks.

In fact all vendors who claim the ability to stop
0-day attacks do so 
because they are supposed to be filtering on the
vulnerability, not an 
exploit signature, static packet anomaly, etc. 
Another characteristic 
of these devices is the fact that they do "deep
packet inspection", 
rather than a protcol decode and "best guess" based
on irregularities in 
the way it's supposed to function.

To the original poster, I'd suggest getting people
from the network and 
security side together (if it's not the same people)
and discuss *your* 
requirements in a device.  Come up with a list of
10-15 vendors (easily 
done with the wealth of information already posted
to the list), send 
out an RFI, and grade their responses against your
requirements.  Bring 
the top four in for their presentations, then select
the top two to go 
head-to-head.

The testing methodology you use with your finalists
would consist of a 
mish-mash of networking and security tests including
latency 
measurements, failover, blocking ability under 100%
utilization - while 
pushing an update, attacker | victim scenarios using
tools like 
metasploit and manual techniques-both with and
without load, and 
fragmented attacks using fragroute-with and without
load, etc.

Don't forget to get some live pcap captures from
your edge, too, so you 
get a peek at what you already know is out there ;)

Good Luck...Joey




        
        
                
_______________________________________________________ 
Yahoo! Acesso Grátis - Internet rápida e grátis. 
Instale o discador agora! http://br.acesso.yahoo.com/

Current thread:

RE: IPS comparison, (continued)
- RE: IPS comparison Singh, Yashpal (Jul 25)
- RE: IPS comparison Jeffrey Leggett (Jul 26)
  - Re: IPS comparison Chuck (Jul 27)
- RE: IPS comparison Soszynski, Chris (Jul 27)
- RE: IPS Comparison JP Garcia (Jul 27)
  - RE: IPS Comparison Miguel Dilaj (Jul 27)
    - Re: IPS Comparison Ivan C (Jul 29)
- RE: IPS comparison Gregory D. McPhee (Jul 27)
  - Re: IPS comparison Ivan C (Jul 28)
  - Re: IPS comparison Joey Peloquin (Jul 30)
    - Re: IPS comparison Daniel Cid (Jul 30)
- Fw: IPS comparison OguzTekeli (Jul 28)
- Re: IPS comparison joekim13 (Jul 30)
- RE: IPS comparison Jarmon, Don R (Jul 31)