IDS mailing list archives
Re: location of an IPS
From: Seek Knowledge <aseeker03 () yahoo com>
Date: Sat, 22 Oct 2005 01:41:16 +0100 (BST)
Doug... I faced a similar problem when I tested the UnityOne. My observations below may help to clarify some of your questions: 1) For infrastructure protection... put the IPS in front of the firewall (internet-side). 2) Many events are by default configured as notify-only, some are block+notify and some are block-only. 3) The ones that are notify have different "levels" of notifying. I can't remember exactly what they are called but in essence some will show up as stats only, and some will have full block details associated with them. 4) TP swears that they are blocking the vulnerability itself and thus LanGuard scans don't actually trip the vulnerability. We never came to a consensus on this one. The standard PHF string contains the basis of the buffer overflow exploit no matter what you change in the attack string... TP did not out of the box catch it. Actually... I don't remember if it ever did stop the PHF's that I threw at it. My sniffers on the other side of UnityOne recorded the full attack and by exploit went through untouched. I basically use the PHF signature the same way the anti-virus world uses the EICAR file... to test to make sure the anti-virus is working. I hope someone from TP can help to clarify why they think LanGuard doesn't give accurate results against their product (i.e. is not detected) but other products do detect it. -Aseeker --- Doug Fox <dfox168 () hotmail com> wrote:
I'm sorry for this dumb question, which may have been answered many times. Where should one place an TippingPoint Unity 50 IPS device? Behind or in front of a firewall? I have a/the TippingPoint behind a Check Point firewall. Even though we externally and internally port-scanned the firewall and the IPS many times, the activity log did not contain any record of the "attacks". What am I missing here? Any pointers are appreciated. Thanks,
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- location of an IPS Doug Fox (Oct 19)
- Re: location of an IPS Kurt Seifried (Oct 20)
- Re: location of an IPS FinAckSyn (Oct 20)
- Re: location of an IPS Kurt Seifried (Oct 21)
- Re: location of an IPS FinAckSyn (Oct 21)
- Re: location of an IPS Kurt Seifried (Oct 21)
- Re: location of an IPS Paul Schmehl (Oct 20)
- Re: location of an IPS ilaiy (Oct 21)
- Re: location of an IPS Seek Knowledge (Oct 21)
- <Possible follow-ups>
- RE: location of an IPS Gary Halleen (ghalleen) (Oct 20)
- RE: location of an IPS Derick Anderson (Oct 20)
- RE: location of an IPS Swift, David (Oct 20)
- RE: location of an IPS kgeorgiades (Oct 20)
- RE: location of an IPS Bourque Daniel (Oct 21)
- Re: Re: location of an IPS asalo (Oct 21)