Penetration Testing mailing list archives
Re: IPS comparison
From: Daniel Cid <danielcid () yahoo com br>
Date: Sat, 30 Jul 2005 19:19:59 -0300 (ART)
This is not the first time I hear about it. TippingPoint does NOT detect 0-day vulnerabilities. This "anomaly" detection will only detect 0-day exploits for known vulnerabilities. If they do not know about a vulnerability, there is no way their "anomaly" detection system will detect anything. Btw, most of the other IDS/IPS vendors create rules to detect the vulnerability instead of the exploit. Thanks, -- Daniel B. Cid, CISSP daniel.cid @ ( at ) gmail.com --- Joey Peloquin <joeyp () cotse net> escreveu:
Gregory D. McPhee wrote:TippingPoint is signature based, catches want isknown to be bad.I'm evaluating TippingPoint's device right now, and that's not entirely true. The only *static* signatures used are the AV, Spyware, IM, and P2P filters. Everything else is anomaly-based, through the use of regex, and the vulnerabilities themselves. This is why TP claims the ability to stop so-called 0-day attacks. In fact all vendors who claim the ability to stop 0-day attacks do so because they are supposed to be filtering on the vulnerability, not an exploit signature, static packet anomaly, etc. Another characteristic of these devices is the fact that they do "deep packet inspection", rather than a protcol decode and "best guess" based on irregularities in the way it's supposed to function. To the original poster, I'd suggest getting people from the network and security side together (if it's not the same people) and discuss *your* requirements in a device. Come up with a list of 10-15 vendors (easily done with the wealth of information already posted to the list), send out an RFI, and grade their responses against your requirements. Bring the top four in for their presentations, then select the top two to go head-to-head. The testing methodology you use with your finalists would consist of a mish-mash of networking and security tests including latency measurements, failover, blocking ability under 100% utilization - while pushing an update, attacker | victim scenarios using tools like metasploit and manual techniques-both with and without load, and fragmented attacks using fragroute-with and without load, etc. Don't forget to get some live pcap captures from your edge, too, so you get a peek at what you already know is out there ;) Good Luck...Joey
_______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/
Current thread:
- RE: IPS comparison, (continued)
- RE: IPS comparison Singh, Yashpal (Jul 25)
- RE: IPS comparison Jeffrey Leggett (Jul 26)
- Re: IPS comparison Chuck (Jul 27)
- RE: IPS comparison Soszynski, Chris (Jul 27)
- RE: IPS Comparison JP Garcia (Jul 27)
- RE: IPS Comparison Miguel Dilaj (Jul 27)
- Re: IPS Comparison Ivan C (Jul 29)
- RE: IPS Comparison Miguel Dilaj (Jul 27)
- RE: IPS comparison Gregory D. McPhee (Jul 27)
- Re: IPS comparison Ivan C (Jul 28)
- Re: IPS comparison Joey Peloquin (Jul 30)
- Re: IPS comparison Daniel Cid (Jul 30)
- Fw: IPS comparison OguzTekeli (Jul 28)
- Re: IPS comparison joekim13 (Jul 30)
- RE: IPS comparison Jarmon, Don R (Jul 31)