Re: Wishlist for IPS Products
From: PS R (secureyourself_at_gmail.com)
Date: 09/17/04
- Previous message: Rob Shein: "RE: What is false alarm rate and false positive rate?"
- Maybe in reply to: PS R: "Wishlist for IPS Products"
- Next in thread: David Maynor: "Re: Wishlist for IPS Products"
- Reply: David Maynor: "Re: Wishlist for IPS Products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Sep 2004 13:37:26 -0400 To: focus-ids@securityfocus.com
And what about blocking fragmented packets entirely. I would argue
that this would be an acceptable config on many networks.
Jack
On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter@entrusion.com> wrote:
> David,
> Can you back your claim that IPS can easily be evaded by fragging
> packets? Have you actually tested this or is it your guess?
>
> -Tony
>
>
>
>
> On Sep 12, 2004, at 12:29 AM, David Maynor wrote:
>
> > Yeah....I am gonna go ahead and disagree with you on some of these.
> >
> >> I have seen a lot of discussion about the differences between IDS,
> >> IPS, and firewalls and the potential for convergence, but I do not
> >> recall a discussion on the primary features that an IPS should have
> >> out of the box.
> >>
> >> I am thinking of:
> >> - Flow Control - limitations on flooding, unused connections, etc...
> >
> > Most of this should be handled by the signature base.
> >
> >> - Robust, ACURATE signature base
> >
> > Only way to do this and not create tons of false postives is true
> > protocol parsing. This knocks out most IPS vendors like Tipping Point.
> >
> >> - Packet capture - no debate on how much before, as that has been
> >> covered
> >> - Pre-deployment network analysis tools to accelerate deployment
> >> - Anomaly detection
> >
> > Why? I have yet to see a system that is more than a parlor trick.
> > Anomaly based system are even easier to evade than sig based systems
> > that don't do protocol parsing.
> >
> > What I would add is better tools for testing. Almost nobody grabs a
> > copy of Canvas from Immunity or Impact from Core and actually checks
> > what attacks are caught. Further more an even fewer number use modded
> > copies of public exploits to see if the claims made by vendors are
> > actually true. How many vendor's IPS implementation would actual catch
> > a MS03-026 exploit if you frag at the RPC layer at a size like 8
> > bytes?
> >
> > -----------------------------------------------------------------------
> > ---
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> > learn more.
> > -----------------------------------------------------------------------
> > ---
> >
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: What is false alarm rate and false positive rate?"
- Maybe in reply to: PS R: "Wishlist for IPS Products"
- Next in thread: David Maynor: "Re: Wishlist for IPS Products"
- Reply: David Maynor: "Re: Wishlist for IPS Products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
