Penetration Testing mailing list archives

Re: IPS arguments

From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Thu, 19 Feb 2009 08:44:54 +0530

A firewall is only going to block or allow traffic on specific ports
from specific (hopefully) IP addresses.

Endpoint Protection is basically similar to an Antivirus installed on
multiple desktops so its going to prevent known
viruses/malware/trojans from executing on the desktop machines;
probably servers too if its installed there as well.

Neither of these are going to:
a) Monitor suspicious traffic on known ports. Say for a web app
running on 80 or 443 attacked using SQL injection .. or your Webmail
interface or for that matter any service which is exposed to the
outside world

b) If there are techies to look at and analyze traffic logs, you wont
be aware of any new attacks/attempts at attacks at all from the
outside world. If you have an IDS/IPS its usually updated with new
signatures for the same, and you can tune it also based on traffic
patterns as well(anomaly based IDS).

In the end though its dependent on what data yur client is trying to
protect and what other limitations they have. If for example no one's
ever going to look at IDS logs it will become another box in a week =
a waste of money.

Cheers
Arvind

On Sat, Feb 14, 2009 at 8:04 PM, Hugo Vinicius Garcia Razera
<hviniciusg () gmail com> wrote:

Hello Gentleman's,

I have finished a penetration testing to a client like a month ago.
The company i worked for used some practices that i don't agree with.
that's one of the reasons i resigned. any way they managed to shell
the audited company a CISCO IPS using the results of the pen test.

Well the thing is that the CIO of that company is refusing to install
the IPS on their network even after his company has already put a buy
order for the equipment and said IPS is know on their building but he
refuses to install such equipment, augmenting that it is totally
unnecessary because they all ready have an Microsoft ISA server
Firewall in place, and symantec enpoint protection on the clients
machine.

Can any one point me why, they need an IPS?

The old company i worked for wants me to penetrate their network, to
proof them they need an IPS . this time I'm thinking on deploying an
old Trojan i coded.

but i would like to have more compelling arguments on why some one needs an IPS

thanks for the time replying to my questions

Hugo

Current thread:

IPS arguments Hugo Vinicius Garcia Razera (Feb 18)
- Re: IPS arguments Javier Reyna (Feb 20)
- Re: IPS arguments arvind doraiswamy (Feb 20)
- Re: IPS arguments Esteban Farao (Feb 20)
- Re: IPS arguments JiPi DiNi (Feb 20)
- RE: IPS arguments Shenk, Jerry A (Feb 20)
- Re: IPS arguments M.D.Mufambisi (Feb 20)
  - Re: IPS arguments Micheal Cottingham (Feb 22)
  - Re: IPS arguments Danny Fullerton (Feb 22)
    - Re: IPS arguments Javier Reyna (Feb 26)
    - Re: IPS arguments Trygve Aasheim (Feb 27)
    - Re: IPS arguments Webmaster 003 (Feb 27)
  - Re: IPS arguments Keith Pasley Com6 (Feb 22)

(Thread continues...)