IDS mailing list archives
RE: newbie quetsions
From: THolman () toplayer com
Date: Fri, 14 Jan 2005 11:26:35 -0500
When defining an IPS policy, you would define valid assets within your network (eg HTTP servers, SMTP servers etc). You would then define an Acceptable Usage Policy (AUP) for each of these services, so at L3 - how many TCP connections you should allow to each, what rate of UDP packets you would allow and so forth ? Then at L4-7 you would take deeper action on the packet content once they have passed these basic tests - so, are HTTP packets RFC compliant ? Do their headers or payloads contain data that could exploit vulnerabilities ? So - a true IPS will NEVER drop valid traffic as it has passed a series of acceptable usage tests to ensure it is in no way malicious. What you need to worry about is whether or not your AUP will ever let through malicious traffic, rather than your IPS dropping valid traffic, because if you've defined an AUP properly, then your IPS should NEVER drop valid traffic. However, there are a number of IPS devices on the market that will break AUPs under certain circumstances (usually heavy load) plus also drop valid traffic - so be careful when choosing an IPS and make sure you ask your potential IPS vendor exactly how they guarantee that AUPs are fully resistant under ANY network conditions, and how they ensure that valid traffic is NEVER dropped (ie 0% packet loss). Hope this helps ! Regards, Tim -----Original Message----- From: Stefano Zanero To: Scruggs Stephen D SSgt AFWA/SCHS Cc: Mike Paquette; focus-ids () securityfocus com Sent: 12/01/05 14:26 Subject: Re: newbie quetsions Scruggs Stephen D SSgt AFWA/SCHS wrote:
Even if the device has the latest and greatest features and would increase our
security
policy tenfold if we used it, if there was the slightest chance it
would
drop data, we would throw it out immediately.
What you mean, here, is that you will never, ever use an IPS on your network, since dropping data is exactly what the thing is used for... Or perhaps what you mean is that you don't want to lose non-attack data (so, you are looking for zero-false-positive tools). Or perhaps what you mean is that you don't want to lose packets due to full queues (so, you are looking for really fast algorithms). Or perhaps both. In every case, there IS more than the "slightest chance" an IPS will drop data. It's a distinct possibility: it's what the device is used for. If the idea is "better not to drop attack packets, because letting through ALL legitimate packets is so important to us" then you should just look at other technologies. Stefano ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: newbie quetsions (on how much Snort sucks), (continued)
- Re: newbie quetsions (on how much Snort sucks) Dave Aitel (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions Mike Paquette (Jan 10)
- RE: newbie quetsions Julius Detritus (Jan 12)
- Re: newbie quetsions Rainer Duffner (Jan 17)
- About IPS testing (was: newbie quetsions) Julius Detritus (Jan 19)
- Re: About IPS testing Tod Beardsley (Jan 24)
- RE: newbie quetsions Julius Detritus (Jan 12)
- Re: newbie quetsions Stefano Zanero (Jan 14)