Re: Threats to IDS/IPS deployments



Leea,

Your post raises an interesting topic, how often do users perform an assessment of their key security defenses to prove that they perform operationally as described in the marketing materials, my bet is not that often in reality.

I have worked in the security market space for the last 15 years and during that time have seen many end users want to but not really know how to test their security defenses. You spend a lot of money on these systems, then many times users put their faith that the product is working as advertised without realy being able to prove it or having the necessary tools to help.

One regular post to this list is "can I use a vulnerability scanner to test my IDS/IPS", the answer is generally no as they are not designed for that purpose.

There are a number of things that you should really look at when testing an IDS or IPS system and one of the most important things is just how useable is it?

If the worst happens and some kind of attack is picked up does the management console become unusable due to the scale and volume of alerts? (I've seen many deployments where a slight burst in activity can make the management system become a monster and un useable)

How easy is it to spot if a sensor has gone off line? (I've seen many occasions when acording to the management console the sensor is working fine and active but in reality somehow it has "gone to sleep" and is not picking up anything.

There are a number of resources out there to help you

http://www.karalon.com/products.htm

The Tolly Group also published a whitepaper on IPS testing and benchmarking you may find intresting.

http://www.tolly.com/ts/2006/TollyEdge/IPS-Wired/TollyWP206115TollyEdgeIPS-Wired-May2006.pdf

Regards
Tony


Tony Haywood
CTO
www.karalon.com
Audit, Test, Prove & Validate

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • RE: high-speed NIDS (>1.7GBit/sec traffic) required.
    ... then go with the Cisco IDS blade. ... You could use an IDS load balancer that spreads the traffic to many highly ... tuned small snort IDS sensors, then carve up the rulesets (3 or 4 per ... Sensor 1 does IIS, ...
    (Focus-IDS)
  • IDS Sensor operation
    ... Basically sensors operates with promiscuous mode interface for monitoring ... But there is an optionality in an IDS to alert the firewall to ... this we see in Realsecure Network sensor 7.0 where there is a option called ... Test Your IDS ...
    (Focus-IDS)
  • RE: can tripwire be used for sensor integrity???
    ... We have lots of users who use IDS Informer in this way to ensure that the $$ ... not caught out by a sensor going off line without knowing. ... tripwire does not detect LKM trojans or tampering. ... of kernel integrity protection. ...
    (Focus-IDS)
  • RE: High availability design of NIDS
    ... IDS traffic would automatically be load-balanced to your sensors. ... hardware or software issue caused a sensor to fail, ... High availability design of NIDS ... can listen to all traffics in the network). ...
    (Focus-IDS)
  • RE: NIDS
    ... The following link is a gold mine on all things IDS (at least in my ... Hands down snort is probably the most famous intrusion detection system. ... I think it is a good idea to place a sensor ... I am looking for information on deployment scenarios. ...
    (Security-Basics)