At 01:27 PM 2/12/01 -0500, Michael T. Babcock wrote:
I just said 'good logging'. Your definition of 'good' is up to you.
Packet logging should record all network activity that is on the wire, with
the ability to gzip or rotate through a set of named files.
> 2. Hack utilities - where does one receive corporate support for hack
> utilities, unless you pay for them (i.e. L0phtcrack, ISS Security Scanner,
> Cybercop, Retina, Nessus and on and on).. Those type of hack utilities may
> or may not test for all the cgi-bin/phf variations, some IDS may not
detect
> either.
To know whether your IDS actually detects current exploits, you need to be
both aware of the current exploits and either how to test them against your
IDS or know someone else has. This is where a good mailing list about
vulnerability testing comes in handy (like the discussion forums for Snort).
Vulnerability testing is varies from one organization to another, some
organizations even bring in unqualified or sometimes qualified security
auditors to conduct a Security footprint or Risk Assessment throwing attack
scripts that they know about at the IDS system. Unless the IT staff are
dedicated to researching and keeping the tools up to date, in most cases
this is the not the case, they just have a different set of auditors come
back the following year.
> 3. Unless your a whiz at crafting malicious or varying sized packets
loaded
> with exploits, etc
... or you have a security company monitor and keep your IDS up to date for
you who you trust. (Entirely new issue there ... )
Actually, that is correct, entirely old and new issue there, there are
companies that will offer a Managed Service Provider type service, usually
staffed with a couple of trophies and then lined with a lot of off the
street or 1 or 2 years experienced hands. The cheaper the better profit
margin from those out rageously high prices they try to gouge customers with.
> 4. What about application testing tools, what QoS, etc, etc.
Organizations
> are looking at IDS to be able to handle lots and lots of traffic, typical
> hack utilities do not test for that
Its not that hard to get a series of replayable logs from something like
Snort or tcpdump that you can throw at your network over and over and over
again as fast as you can ...
It is not the fact of playing back Snort or tcpdump recorded traffic, but
the need for such tools become painfully clear that organization will
constantly hear from their high priced security auditors Bill and Malcolm"
We use a combination of commercial and cobbled together freely available
tools".. Corporations just eat that up. and in some cases seek a more
reputable service company that uses a single commercially available tool
which the corporation can go out and purchase.
It isn't about how fast you replay the packets over the wire, but how the
packets are generated, if they are one continous loop with variations to
trigger, not really a good way to conduct QA especially when one might have
to test this, that or the other thing.
.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
