RE: Intrusion Prevention requirements document

From: Tony Haywood (thaywood@karalon.com)
Date: Fri Nov 04 2005 - 15:53:51 EST

• Next message: Jeroen: "Cisco Secret 5 algorithm?"
• Previous message: v b: "Re: Risk metrics"
• Next in thread: vendortrebuchet@comcast.net: "RE: Intrusion Prevention requirements document"
• Maybe reply: vendortrebuchet@comcast.net: "RE: Intrusion Prevention requirements document"
• Maybe reply: Arun Vishwanathan: "RE: Intrusion Prevention requirements document"
• Reply: Sanjay Rawat: "RE: Intrusion Prevention requirements document"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One of the ways that you could test safely is by using something like
Traffic IQ Pro or a similar product. It is a stateful traffic replay tool
and can be used to test any inline or packet monitoring device.

The product uses two network cards and so the library of over 700 normal and
threat traffic files can be replayed statefully without the need to connect
to a live target system. This allows for live production systems to be
testing for the correct configuration really quickly and easily.

I have been involved in working in this area for a number of years now and
my previous company was Blade Software where I developed IDS Informer and
Firewall Informer to provide similar testing capabilities.

Information on Traffic IQ Pro is available below should you want to take a
look.
http://www.karalon.com/Karalon/TrafficIQ/TrafficIQ.htm

Working with testing labs and a number of security and networking vendors
has enabled Traffic IQ Pro to be a really useful tool for anyone who wants
to check the configuration of their firewalls, IPS, IDS, routers, switches
etc and see how those devices perform under different scenarios.

Tony

Tony Haywood
www.karalon.com

-----Original Message-----
From: vendortrebuchet@comcast.net [mailto:vendortrebuchet@comcast.net]
Sent: 29 October 2005 20:40
To: focus-ids@securityfocus.com
Subject: Re: Intrusion Prevention requirements document

Another question for everyone,
When you brought in each vendor for evaluation, did you configure a test
network for them or did you use your production network? My 1st concern is
keeping my job :o) If I test in production, I could impact production
traffic. If I don't test in production, how can I best ensure that I won't
have problems with custom applictions, older IP stacks which could be an
issue if RFC compliance checks are done, etc.
The vendor answer is always, "don't turn on blocking and just monitor." Is
that a reality? I'd like some testimonials to this and some real life
instances of what has been done from unbiased sources.

Thanks,

VT

> All,
>
> I work on a team that manages signature and behavioral based intrusion
> detection systems today. We have been tasked with reviewing IPS (or
> whatever vendor name acronym you prefer) in '06. Our normal process
> is to put together a base requirements document to weed out vendors in
> the first round through a paper excercise and then bring in the best
> we can identify. My question is, has anyone developed a matrix that
> identifies key qualifiers in an IPS solution (e.g. in-line, fails
> open/closed, reporting features, etc.). If so, could you provide links or
the documents?
>
> If not, what categories are most significant to consider in your
> expert opinions? What reasons did you choose the solution you have?
> What would you consider if you had to choose over again, etc?
>
> Thanks in advance for your responses.
>
> VT
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------------------
> --
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Jeroen: "Cisco Secret 5 algorithm?"
• Previous message: v b: "Re: Risk metrics"
• Next in thread: vendortrebuchet@comcast.net: "RE: Intrusion Prevention requirements document"
• Maybe reply: vendortrebuchet@comcast.net: "RE: Intrusion Prevention requirements document"
• Maybe reply: Arun Vishwanathan: "RE: Intrusion Prevention requirements document"
• Reply: Sanjay Rawat: "RE: Intrusion Prevention requirements document"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT