Re: Wishlist for IPS Products

• Previous message: David Maynor: "Re: Wishlist for IPS Products"
• In reply to: PS R: "Re: Wishlist for IPS Products"
• Next in thread: David Maynor: "Re: Wishlist for IPS Products"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 20 Sep 2004 18:30:15 -0400
To: PS R <secureyourself@gmail.com>

The fragmentation is at the RPC layer and not the IP layer, what
device is going to block that?

On Fri, 17 Sep 2004 13:37:26 -0400, PS R <secureyourself@gmail.com> wrote:
> And what about blocking fragmented packets entirely. I would argue
> that this would be an acceptable config on many networks.
>
> Jack
>
>
>
>
> On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter@entrusion.com> wrote:
> > David,
> > Can you back your claim that IPS can easily be evaded by fragging
> > packets? Have you actually tested this or is it your guess?
> >
> > -Tony
> >
> >
> >
> >
> > On Sep 12, 2004, at 12:29 AM, David Maynor wrote:
> >
> > > Yeah....I am gonna go ahead and disagree with you on some of these.
> > >
> > >> I have seen a lot of discussion about the differences between IDS,
> > >> IPS, and firewalls and the potential for convergence, but I do not
> > >> recall a discussion on the primary features that an IPS should have
> > >> out of the box.
> > >>
> > >> I am thinking of:
> > >> - Flow Control - limitations on flooding, unused connections, etc...
> > >
> > > Most of this should be handled by the signature base.
> > >
> > >> - Robust, ACURATE signature base
> > >
> > > Only way to do this and not create tons of false postives is true
> > > protocol parsing. This knocks out most IPS vendors like Tipping Point.
> > >
> > >> - Packet capture - no debate on how much before, as that has been
> > >> covered
> > >> - Pre-deployment network analysis tools to accelerate deployment
> > >> - Anomaly detection
> > >
> > > Why? I have yet to see a system that is more than a parlor trick.
> > > Anomaly based system are even easier to evade than sig based systems
> > > that don't do protocol parsing.
> > >
> > > What I would add is better tools for testing. Almost nobody grabs a
> > > copy of Canvas from Immunity or Impact from Core and actually checks
> > > what attacks are caught. Further more an even fewer number use modded
> > > copies of public exploits to see if the claims made by vendors are
> > > actually true. How many vendor's IPS implementation would actual catch
> > > a MS03-026 exploit if you frag at the RPC layer at a size like 8
> > > bytes?
> > >
> > > -----------------------------------------------------------------------
> > > ---
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world attacks from
> > > CORE IMPACT.
> > > Go to
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> > > learn more.
> > > -----------------------------------------------------------------------
> > > ---
> > >
> >
> >
>
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------
>
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: David Maynor: "Re: Wishlist for IPS Products"
• In reply to: PS R: "Re: Wishlist for IPS Products"
• Next in thread: David Maynor: "Re: Wishlist for IPS Products"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]