Re: location of an IPS
From: Seek Knowledge (aseeker03_at_yahoo.com)
Date: 10/22/05
- Previous message: ilaiy: "Re: location of an IPS"
- In reply to: Doug Fox: "location of an IPS"
- Next in thread: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Maybe reply: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Oct 2005 01:41:16 +0100 (BST) To: Doug Fox <dfox168@hotmail.com>, focus-ids@securityfocus.com
Doug...
I faced a similar problem when I tested the UnityOne.
My observations below may help to clarify some of your
questions:
1) For infrastructure protection... put the IPS in
front of the firewall (internet-side).
2) Many events are by default configured as
notify-only, some are block+notify and some are
block-only.
3) The ones that are notify have different "levels" of
notifying. I can't remember exactly what they are
called but in essence some will show up as stats only,
and some will have full block details associated with
them.
4) TP swears that they are blocking the vulnerability
itself and thus LanGuard scans don't actually trip the
vulnerability. We never came to a consensus on this
one. The standard PHF string contains the basis of the
buffer overflow exploit no matter what you change in
the attack string... TP did not out of the box catch
it. Actually... I don't remember if it ever did stop
the PHF's that I threw at it. My sniffers on the other
side of UnityOne recorded the full attack and by
exploit went through untouched. I basically use the
PHF signature the same way the anti-virus world uses
the EICAR file... to test to make sure the anti-virus
is working.
I hope someone from TP can help to clarify why they
think LanGuard doesn't give accurate results against
their product (i.e. is not detected) but other
products do detect it.
-Aseeker
--- Doug Fox <dfox168@hotmail.com> wrote:
> I'm sorry for this dumb question, which may have
> been answered many times.
>
> Where should one place an TippingPoint Unity 50 IPS
> device? Behind or in
> front of a firewall?
>
> I have a/the TippingPoint behind a Check Point
> firewall. Even though we
> externally and internally port-scanned the firewall
> and the IPS many times,
> the activity log did not contain any record of the
> "attacks".
>
> What am I missing here? Any pointers are
> appreciated.
>
> Thanks,
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
>
------------------------------------------------------------------------
>
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: ilaiy: "Re: location of an IPS"
- In reply to: Doug Fox: "location of an IPS"
- Next in thread: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Maybe reply: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
