RE: Threats to IDS/IPS deployments
- From: "Andy Cuff" <lists@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 May 2007 12:50:59 +0100
Hi Leea,
Off the top of my head, a couple of other elements that we check on are:
1. Inappropriate tuning - too much. Where certain signatures are tuned
out that really shouldn't be, this could easily form an entire topic in it's
own right and is my pet hate. This could mean that a signature is disabled
entirely or the filtered addresses are too broad. My suggestion is for a
second set of eyes to validate the tuning within a defined period.
2. Inappropriate tuning - too little. Where the deployment hasn't been
tuned and the analysts cannot see the wood for the trees.
3. Effective blocking. Where IPS is deployed is blocking set
correctly i.e. not too strict so as to effect operations yet strict enough
to counter arising threats.
4. Updatedness. How up to date is the deployment and are the update
processes solid
5. Sensor coverage. Are there any gaps in coverage and does the
deployment complement a defence in depth solution
6. Who and/or what is the weakest link
Good Luck
Andy Cuff
Computer Network Defence Ltd
www.SecurityWizardry.com
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of leeahart05@xxxxxxx
Sent: 30 May 2007 23:45
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Threats to IDS/IPS deployments
I'm performing a risk assessment for a commercial IPS
deployment at my place of work. The scope of the assessment
is limited to how we implemented and deployed the product -
not how the product works. Some areas that I will be
reviewing include authentication and authorization to the
sensors and management systems, backup of data and
configuration settings, hardening of the sensors/systems, and
best practices such as testing signatures prior to
installation into production. I apologize if this is the
wrong place to post. I'm looking for input from this list as
to current threats against IPS/IDS installations as well as
other areas to review during my assessment. Thanks!
--------------------------------------------------------------
----------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw
to learn more.
--------------------------------------------------------------
----------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Prev by Date: Re: Threats to IDS/IPS deployments
- Previous by thread: Re: Threats to IDS/IPS deployments
- Index(es):
