Re: IDS/IPS testing methodology
From: Gianpiero Porchia (gianpiero.porchia_at_gmail.com)
Date: 10/13/04
- Previous message: hakked_at_yahoo.com: "IDS/IPS testing methodology"
- In reply to: hakked_at_yahoo.com: "IDS/IPS testing methodology"
- Next in thread: Leandro Reox: "RE: IDS/IPS testing methodology"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Oct 2004 10:58:29 +0200 To: focus-ids@securityfocus.com
Hi,
I worked on different tests on different NIPS technologies. IMHO the
NIPS testing falls in the the common field of Firewall and IDS test,
or I prefer to say it's a level 7 firewall test.
The test is strictly related to your network environment, and should measure:
- Functionalities: how the NIPS performs its job, ie if it detects
attacks, and how it protect your network from them;
- Performance: how the NIPS to its job in stress conditions
(throughput, connectioons per second, application transaction per
second, latency, etc. etc.);
- HA: how the NIPS service is always available (which lavels of HA they have);
- Management: how is easy to manage the system, and which informations
you get from them;
- Security: how the NIPS is strong, ie how it resists on attacks
direct to itself, or how it resists to bad traffic
Your best starting points are RFC 3511, and OSEC (http://osec.neohapsis.com).
I suggest you to capture your network traffic using a sniffer, for 2-3
days, and then use a traffic generator like Spirent Web
Avalanche/Reflector to replay it, adding also crafted traffic
(Avalanche is able to create HTTP, SMTP, POP3, DNS, RTSP, Telnet,
etc.etc.), and injected well known attacks using Blade IDS Informer,
to perform the tests.
Pay great attention on the bugs that the NIPS could have (above all in
load condition)!
You can do that also using black box testing tools.
- gian
On 9 Oct 2004 21:40:47 -0000, hakked@yahoo.com <hakked@yahoo.com> wrote:
>
>
> New to IPS arena and am looking for a documented standard or method for testing IPS technologies in parallel. Have a suite of test tools (nessus, IDS Reformer, metasploit, etc.), and we are able to test the NIDS tools fairly well off a hub, however I'm now concentrating on how to setup the network to be able to test the IPS's in parallel at the same time. This will be an ongoing research project.
>
> -j
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------
>
>
-- _____ Ing. Gianpiero Porchia Security Consultant ATS - Advanced Telecom Systems S.p.A. Designing, Testing, Managing Network Quality Via Salgari, 17 - 41100 Modena - ITALY Tel +39 059 821332 Fax +39 059 821492 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: hakked_at_yahoo.com: "IDS/IPS testing methodology"
- In reply to: hakked_at_yahoo.com: "IDS/IPS testing methodology"
- Next in thread: Leandro Reox: "RE: IDS/IPS testing methodology"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
