Re: An insider attack scenario

[Jeremy Bennett <jeremyfb () mac com>]

An IPS is very valuable both in protecting a DMZ and in protecting  
internal assets. However, it is not a panacea. A secure network  
topology should include department firewalls separating off subnets  
that have different access restrictions and individual hosts should be  
secured as well.

So, even if the IPS administrator was your internal attacker he or she  
should not be able to gain unauthorized access because other measures  
are in place.

To be honest an internal IPS would be one of the last security devices  
I would invest in when securing an internal network.

-J

On Jun 10, 2009, at 8:24 AM, pamaclark () yahoo com wrote:

> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several  
> sub-network segments. Due to finance or staffs restrictions, the  
> company could only use a limited number of sensors, hence leave some  
> internal sub-networks unmonitored. I guess this is quite common in  
> real world right?
>
> So, if I were an inside attacker, I may find out sensor locations  
> (either physical of logical locations) by fingerprinting the sensors  
> as discussed in some previous threads or whatever tricks. Means I  
> will know which sub-networks are monitored and others are not,  
> right? So that I can launch attacks to those unmonitored network  
> segments without being detected.
>
> Does this sound plausible? And what current IDS/IPS technologies can  
> be used to against this?
>
> Thanks

Attachment: smime.p7s
Description: