Re: location of an IPS

From: Kurt Seifried (bt_at_seifried.org)
Date: 10/20/05

  • Next message: Gary Halleen (ghalleen): "RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor" 
    To: "Doug Fox" <dfox168@hotmail.com>, <focus-ids@securityfocus.com>
Date: Wed, 19 Oct 2005 22:13:46 -0600

    > I'm sorry for this dumb question, which may have been answered many times.
    >
    > Where should one place an TippingPoint Unity 50 IPS device? Behind or in
    > front of a firewall?

    Depends what you want to measure. Broadly speaking in front of the firewall
    means you're measuring attempts, behind the firewall they are penetrations
    (or do both and then compare them, that way you can actually tell management
    "look we're stoping 90% of detected attacks, now would you please let me
    tighten the firewall rules so that's 100%?" or something). One thing to
    remember is to look for outgoing attacks as well, that's a good indication
    of a compromised host or a hostile user.

    > I have a/the TippingPoint behind a Check Point firewall. Even though we
    > externally and internally port-scanned the firewall and the IPS many
    > times, the activity log did not contain any record of the "attacks".

    One the one hand good, that would have been a false positive technically
    speaking, otoh that's bad, it probably should have alerted on that (even if
    it is a false positive). Sounds like you need to sit down and do the
    setup/configuration/alerting/whatnot (aka the hard parts of IDS/IPS).
    Broadly speaking you're saying "it's broken" to which I can only say
    "bummer. try fixing it."

    > What am I missing here? Any pointers are appreciated.
    >
    > Thanks,

    The dreaded C word comes to mind (consultant), if your company lacks the
    expertise to set this up buy someones time who does.

    -Kurt

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Gary Halleen (ghalleen): "RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"

    Relevant Pages

    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • RE: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... Regarding ICMP backdoors, this technique was first use by some skilled guy ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
      (Pen-Test)
    • Re: Can I protect myself against network attacks?
      ... I consider the SP2 PFW "half a firewall", and many I've read say it ... or listening in, and no virus or trojans from a system scan via KAV. ... After all, the attacks did ...
      (comp.security.firewalls)