RE: location of an IPS

From: Derick Anderson (danderson_at_vikus.com)
Date: 10/20/05

  • Next message: Swift, David: "RE: location of an IPS" 
    Date: Thu, 20 Oct 2005 09:33:13 -0400
To: "Doug Fox" <dfox168@hotmail.com>, <focus-ids@securityfocus.com>

     

    > -----Original Message-----
    > From: Doug Fox [mailto:dfox168@hotmail.com]
    > Sent: Wednesday, October 19, 2005 4:58 PM
    > To: focus-ids@securityfocus.com
    > Subject: location of an IPS
    >
    > I'm sorry for this dumb question, which may have been
    > answered many times.
    >
    > Where should one place an TippingPoint Unity 50 IPS device?
    > Behind or in front of a firewall?
    >
    > I have a/the TippingPoint behind a Check Point firewall. Even
    > though we externally and internally port-scanned the firewall
    > and the IPS many times, the activity log did not contain any
    > record of the "attacks".
    >
    > What am I missing here? Any pointers are appreciated.
    >
    > Thanks,
    >

    Where you place it depends on what you want to audit. I prefer behind
    the firewall, since I'm only concerned about what gets through, but some
    people want to know it all. My opinion is that there's too much
    information to effectively monitor what's going on. A successful attack
    may only generate a couple alerts.

    As for your scans, what kind of scan (connect, stealth, XMAS, etc.) did
    you use? Your IDS may also be ignoring internal traffic. If you've got
    access to a system outside your network (i.e., home PC), try attacking
    it from there. Make sure your ISP doesn't "frown" on that kind of
    activity first though...

    Derick Anderson

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Swift, David: "RE: location of an IPS"

    Relevant Pages

    • RE: Thinking about Security rules...
      ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
      (Vuln-Dev)
    • RE: need your help about IPS and IDS,thanks
      ... We run a SOC with IPSes. ... cause a DoS at high bandwidth), you can mitigate the attack without taking ... traditional firewall and IDS vendors try to protect their market shares. ... The main difference in my opinion is that IPS are inline and can therefore ...
      (Focus-IDS)
    • Re: IPS in the Enterprise UTM Firewall testing results
      ... I configured them as I believe a sane IPS manager would do. ... I am fairly opposed to putting an IDS inside your firewall---I think that this is asking for trouble performance-wise---but certainly there are very different catch rates when you configure the devices as an IDS. ... My conclusion is that GENERALLY you will not want to use a UTM firewall as an IDS, because of performance and because of the specific design. ... I think you're stating the obvious here, but I will point out one important issue: we specifically asked for 1Gbit boxes, and not faster than that. ...
      (Focus-IDS)
    • Re: Changes in IDS Companies?
      ... > There's also the option of using a non-inline style IDS, ... > firewall rules anyways, ... The attack has already reached the target. ... They that can give up essential liberty to obtain a little temporary safety ...
      (Focus-IDS)
    • RE: Recent Gartner IDS/IPS report
      ... despite what Gartner states) there is no single solution for IDS or IPS (or a ... We use a suite of tools that includes both and a firewall. ... system and it continued to stay compromised because the firewall or an IPS did ... Point being...everyone knows how to have good physical security, ...
      (Focus-IDS)