IDS mailing list archives
AW: An insider attack scenario
From: "Daniel, Akos" <a.daniel () drillisch-telecom de>
Date: Tue, 16 Jun 2009 11:56:31 +0200
Hi, Have you heard about NAC and HIPS? http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system Those tools will see what you do. And if the Firewalls and IPS and HIPS and NAC cooperate with a SIM/SIEM* than you 'have to run'! :-) My example from the future: 1. The switch realise a new port activated -> sign it to SIM 2. The NAC realise your scan (or any unusual things) from the newly opened port -> sign it to SIM 3. The HIPS on host realises the scan (or any unusual things) as well -> sign it to SIM and to the Firewall 4. Firewall reacts and denies any traffic that goes through with your IP -> you may sign it 5. In the NOC** the SIM GUI is opened on a monitor and on the left corner of this monitor a camera display - from the room where the port is patched - appears 6. The camera sees you, the security guard get a phone call from NOC 7. I wake up from my sweet dreams :-) *SIM: http://en.wikipedia.org/wiki/Computer_security_incident_management **NOC: http://en.wikipedia.org/wiki/Network_operations_center Cheers, Akos -----Ursprüngliche Nachricht----- Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im Auftrag von pamaclark () yahoo com Gesendet: Mittwoch, 10. Juni 2009 17:25 An: focus-ids () securityfocus com Betreff: An insider attack scenario Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)