Re: IPS arguments

[David Howe <DaveHowe.Pentest () googlemail com>]

M.D.Mufambisi wrote:
> Hi Hugo.
>
> I am also in the same dilemma as you are. I work for a consultancy
> firm and one of the advisors here told the client to get an IPS in
> addition to a firewall, antivirus etc. I really do not get it. With
> the IPS wont there be 2 firewalls now?

Different problem domain. Normally, a firewall will control traffic at
the port level, and contains a fairly static set of rules as to what
traffic is permitted and which is not.

An IPS observes traffic and matches it against a rulebase on what is or
isn't "good" traffic - consider it an antivirus scan for network
packets, looking not for a virus (although often those are listed to)
but for undesirable activity.

> Also, im not into penetration tests but i sure wish to move into that
> field. May i please have advice on procedures and tests performed
> during a pen test? Or a framework of some sort? Your advice will be
> greatly appreciated. 

Those vary widely, and to be honest pentesting is not about the tools
used (although the quality and quantity of those is important) but about
the mindset of the person using them. Pentesting is, within the
constraints of the agreed contract, duplication of the sort of attacks
an outside "hacker", inside disgruntled employee or infected trojan
machine would perform to gain access to unauthorized resources. I say
within constraints, as often tasks that such a hacker would be happy to
perform (eg an attack which is successful at gaining a root shell 5% of
the time, but causes irremediable corruption to the target server the
other 95%) are closed to an ethical pentester. That said, you can *look*
for the vulnerability and report it, as untested but presumed vulnerable.

A good start (provided you aren't going to get into trouble for it :) is
to audit your own network as if you were a disgruntled employee - to be
honest, employees gone "bad" are more common a significant risk than
outside hackers. Don't just download a few tools and use them (although
its probably worth getting at least a portscanner, openvas and
metasploit and familiarizing yourself with them and how they work) but
wander around a few desks and look for usernames/passwords; give
yourself a "normal" user account to play with, and see what normal users
are given to access that they might not know about (if they use
databases though a pretty gui front end, log into those databases with
the normal tools for that and see what table rights they have and if
they are relying on the gui to prevent them (for example) giving
themselves admin rights or resetting passwords. The first sentence is
the most important though - before you do *anything*, make sure your
boss is aware that you are going to do this and that you are doing it to
try and tighten security "for free" rather than hire an expensive
consultant. its amazing how cooperative bosses get when they think they
are saving cash :)