Penetration Testing mailing list archives
Re: IPS arguments
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Sat, 21 Feb 2009 13:23:52 +0000
M.D.Mufambisi wrote:
Hi Hugo. I am also in the same dilemma as you are. I work for a consultancy firm and one of the advisors here told the client to get an IPS in addition to a firewall, antivirus etc. I really do not get it. With the IPS wont there be 2 firewalls now?
Different problem domain. Normally, a firewall will control traffic at the port level, and contains a fairly static set of rules as to what traffic is permitted and which is not. An IPS observes traffic and matches it against a rulebase on what is or isn't "good" traffic - consider it an antivirus scan for network packets, looking not for a virus (although often those are listed to) but for undesirable activity.
Also, im not into penetration tests but i sure wish to move into that field. May i please have advice on procedures and tests performed during a pen test? Or a framework of some sort? Your advice will be greatly appreciated.
Those vary widely, and to be honest pentesting is not about the tools used (although the quality and quantity of those is important) but about the mindset of the person using them. Pentesting is, within the constraints of the agreed contract, duplication of the sort of attacks an outside "hacker", inside disgruntled employee or infected trojan machine would perform to gain access to unauthorized resources. I say within constraints, as often tasks that such a hacker would be happy to perform (eg an attack which is successful at gaining a root shell 5% of the time, but causes irremediable corruption to the target server the other 95%) are closed to an ethical pentester. That said, you can *look* for the vulnerability and report it, as untested but presumed vulnerable. A good start (provided you aren't going to get into trouble for it :) is to audit your own network as if you were a disgruntled employee - to be honest, employees gone "bad" are more common a significant risk than outside hackers. Don't just download a few tools and use them (although its probably worth getting at least a portscanner, openvas and metasploit and familiarizing yourself with them and how they work) but wander around a few desks and look for usernames/passwords; give yourself a "normal" user account to play with, and see what normal users are given to access that they might not know about (if they use databases though a pretty gui front end, log into those databases with the normal tools for that and see what table rights they have and if they are relying on the gui to prevent them (for example) giving themselves admin rights or resetting passwords. The first sentence is the most important though - before you do *anything*, make sure your boss is aware that you are going to do this and that you are doing it to try and tighten security "for free" rather than hire an expensive consultant. its amazing how cooperative bosses get when they think they are saving cash :)
Current thread:
- Re: IPS arguments, (continued)
- Re: IPS arguments Esteban Farao (Feb 20)
- Re: IPS arguments JiPi DiNi (Feb 20)
- RE: IPS arguments Shenk, Jerry A (Feb 20)
- Re: IPS arguments M.D.Mufambisi (Feb 20)
- Re: IPS arguments Micheal Cottingham (Feb 22)
- Re: IPS arguments Danny Fullerton (Feb 22)
- Re: IPS arguments Javier Reyna (Feb 26)
- Re: IPS arguments Trygve Aasheim (Feb 27)
- Re: IPS arguments Webmaster 003 (Feb 27)
- Re: IPS arguments Keith Pasley Com6 (Feb 22)
- Re: IPS arguments David Howe (Feb 22)
- RE: IPS arguments JoePete (Feb 22)
- Re: IPS arguments Adriel T. Desautels (Feb 26)
- Re: IPS arguments kellstr (Feb 20)