From: vendortrebuchet@comcast.net
Date: Sat Nov 05 2005 - 19:41:11 EST
This sounds like a very viable solution that will allow for testing. I assume that it replays both the stimulus and response of any conversation and does not "fingerprint" the packets at any layer with the host OS TCP/IP stack (e.g. change of window size, TTL, etc)? Does the product automatically adapt to replay source and destination traffic based upon reading a libpcap file or do you have to configure the networks per card?
Has anyone else used this or a similar product in their testing or other security product tests? What issues did you encounter?
Thanks for the feedback,
-VT
> One of the ways that you could test safely is by using something like
> Traffic IQ Pro or a similar product. It is a stateful traffic replay tool
> and can be used to test any inline or packet monitoring device.
>
> The product uses two network cards and so the library of over 700 normal and
> threat traffic files can be replayed statefully without the need to connect
> to a live target system. This allows for live production systems to be
> testing for the correct configuration really quickly and easily.
>
> I have been involved in working in this area for a number of years now and
> my previous company was Blade Software where I developed IDS Informer and
> Firewall Informer to provide similar testing capabilities.
>
> Information on Traffic IQ Pro is available below should you want to take a
> look.
> http://www.karalon.com/Karalon/TrafficIQ/TrafficIQ.htm
>
> Working with testing labs and a number of security and networking vendors
> has enabled Traffic IQ Pro to be a really useful tool for anyone who wants
> to check the configuration of their firewalls, IPS, IDS, routers, switches
> etc and see how those devices perform under different scenarios.
>
> Tony
>
> Tony Haywood
> www.karalon.com
>
>
> -----Original Message-----
> From: vendortrebuchet@comcast.net [mailto:vendortrebuchet@comcast.net]
> Sent: 29 October 2005 20:40
> To: focus-ids@securityfocus.com
> Subject: Re: Intrusion Prevention requirements document
>
> Another question for everyone,
> When you brought in each vendor for evaluation, did you configure a test
> network for them or did you use your production network? My 1st concern is
> keeping my job :o) If I test in production, I could impact production
> traffic. If I don't test in production, how can I best ensure that I won't
> have problems with custom applictions, older IP stacks which could be an
> issue if RFC compliance checks are done, etc.
> The vendor answer is always, "don't turn on blocking and just monitor." Is
> that a reality? I'd like some testimonials to this and some real life
> instances of what has been done from unbiased sources.
>
> Thanks,
>
> VT
>
>
> > All,
> >
> > I work on a team that manages signature and behavioral based intrusion
> > detection systems today. We have been tasked with reviewing IPS (or
> > whatever vendor name acronym you prefer) in '06. Our normal process
> > is to put together a base requirements document to weed out vendors in
> > the first round through a paper excercise and then bring in the best
> > we can identify. My question is, has anyone developed a matrix that
> > identifies key qualifiers in an IPS solution (e.g. in-line, fails
> > open/closed, reporting features, etc.). If so, could you provide links or
> the documents?
> >
> > If not, what categories are most significant to consider in your
> > expert opinions? What reasons did you choose the solution you have?
> > What would you consider if you had to choose over again, etc?
> >
> > Thanks in advance for your responses.
> >
> > VT
> >
> > ----------------------------------------------------------------------
> > --
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ----------------------------------------------------------------------
> > --
> >
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT