http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/ Random rants on Defensive Security Fri, 04 Jul 2008 14:13:21 +0000 http://wordpress.org/?v=2.2.2 http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/#comment-10037 Intrusion Detection and Prevention as threat centric tools | gsandahl.net Mon, 17 Dec 2007 22:31:14 +0000 http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/#comment-10037 [...] This kind of threat centric approach is what most Intrusion Prevention technologies lack. Common IPS:s functions as authentication systems without the threat centric part; They block individual attacks but passively lets the intruder keep trying until he crafts an exploit that slips through. Good examples are solutions that correlates alerts with vulnerability information of the target (which ISS does) in order to decide what to block. They forget to question whether the activity itself is acceptable. Just because the webserver runs Apache, all attempts at exploiting it as an IIS is ok? Or just because that perticular vulnerability isn’t present in this version of Apache, the activity is ok? This kind of thinking is, for example, what causes IPS implementation to fail at repelling penetration tests. [...] […] This kind of threat centric approach is what most Intrusion Prevention technologies lack. Common IPS:s functions as authentication systems without the threat centric part; They block individual attacks but passively lets the intruder keep trying until he crafts an exploit that slips through. Good examples are solutions that correlates alerts with vulnerability information of the target (which ISS does) in order to decide what to block. They forget to question whether the activity itself is acceptable. Just because the webserver runs Apache, all attempts at exploiting it as an IIS is ok? Or just because that perticular vulnerability isn’t present in this version of Apache, the activity is ok? This kind of thinking is, for example, what causes IPS implementation to fail at repelling penetration tests. […]

]]> http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/#comment-9237 gsandahl.net » Data Leak Prevention as protection from intentional theft or disclosure? Wed, 21 Nov 2007 23:52:30 +0000 http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/#comment-9237 [...] The failure to combat these is why some argue that DLP solutions are limited to preventing mistakes, rather than intentional leaks. I suppose issues with credit-card and identity theft is driving companies in investing in these solutions, and the belief that these systems will act as another layer when their intrusion prevention systems fails on them. [...] […] The failure to combat these is why some argue that DLP solutions are limited to preventing mistakes, rather than intentional leaks. I suppose issues with credit-card and identity theft is driving companies in investing in these solutions, and the belief that these systems will act as another layer when their intrusion prevention systems fails on them. […]

]]> http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/#comment-9079 gsandahl.net » IPS catch rates as identified by mu Security Thu, 15 Nov 2007 23:02:55 +0000 http://gsandahl.net/2007/11/14/ids-and-ips-systems-and-their-effectiveness-on-penetration-tests/#comment-9079 [...] to yesterdays post entitled IDS and IPS systems and their effectiveness on reppelling penetration tests, Network World recently conducted a review of the prevention-ratio from of IPS:s whom are a part of [...] […] to yesterdays post entitled IDS and IPS systems and their effectiveness on reppelling penetration tests, Network World recently conducted a review of the prevention-ratio from of IPS:s whom are a part of […]

]]>