THolmantoplayer.com
Date: Fri Jan 14 2005 - 10:26:35 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When defining an IPS policy, you would define valid assets within your
network (eg HTTP servers, SMTP servers etc).

You would then define an Acceptable Usage Policy (AUP) for each of these
services, so at L3 - how many TCP connections you should allow to each, what
rate of UDP packets you would allow and so forth ?

Then at L4-7 you would take deeper action on the packet content once they
have passed these basic tests - so, are HTTP packets RFC compliant ? Do
their headers or payloads contain data that could exploit vulnerabilities ?

So - a true IPS will NEVER drop valid traffic as it has passed a series of
acceptable usage tests to ensure it is in no way malicious.

What you need to worry about is whether or not your AUP will ever let
through malicious traffic, rather than your IPS dropping valid traffic,
because if you've defined an AUP properly, then your IPS should NEVER drop
valid traffic.

However, there are a number of IPS devices on the market that will break
AUPs under certain circumstances (usually heavy load) plus also drop valid
traffic - so be careful when choosing an IPS and make sure you ask your
potential IPS vendor exactly how they guarantee that AUPs are fully
resistant under ANY network conditions, and how they ensure that valid
traffic is NEVER dropped (ie 0% packet loss).

Hope this helps !

Regards,

Tim

-----Original Message-----
From: Stefano Zanero
To: Scruggs Stephen D SSgt AFWA/SCHS
Cc: Mike Paquette; focus-idssecurityfocus.com
Sent: 12/01/05 14:26
Subject: Re: newbie quetsions

Scruggs Stephen D SSgt AFWA/SCHS wrote:
> Even if the
> device has the latest and greatest features and would increase our
security
> policy tenfold if we used it, if there was the slightest chance it
would
> drop data, we would throw it out immediately.

What you mean, here, is that you will never, ever use an IPS on your
network, since dropping data is exactly what the thing is used for...

Or perhaps what you mean is that you don't want to lose non-attack data
(so, you are looking for zero-false-positive tools). Or perhaps what you

mean is that you don't want to lose packets due to full queues (so, you
are looking for really fast algorithms). Or perhaps both.

In every case, there IS more than the "slightest chance" an IPS will
drop data. It's a distinct possibility: it's what the device is used
for. If the idea is "better not to drop attack packets, because letting
through ALL legitimate packets is so important to us" then you should
just look at other technologies.

Stefano

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]