Doug... I faced a similar problem when I tested the UnityOne. My observations below may help to clarify some of your questions: 1) For infrastructure protection... put the IPS in front of the firewall (internet-side). 2) Many events are by default configured as notify-only, some are block+notify and some are block-only. 3) The ones that are notify have different "levels" of notifying. I can't remember exactly what they are called but in essence some will show up as stats only, and some will have full block details associated with them. 4) TP swears that they are blocking the vulnerability itself and thus LanGuard scans don't actually trip the vulnerability. We never came to a consensus on this one. The standard PHF string contains the basis of the buffer overflow exploit no matter what you change in the attack string... TP did not out of the box catch it. Actually... I don't remember if it ever did stop the PHF's that I threw at it. My sniffers on the other side of UnityOne recorded the full attack and by exploit went through untouched. I basically use the PHF signature the same way the anti-virus world uses the EICAR file... to test to make sure the anti-virus is working.
I hope someone from TP can help to clarify why they think LanGuard doesn't give accurate results against their product (i.e. is not detected) but other products do detect it. -Aseeker --- Doug Fox <[EMAIL PROTECTED]> wrote: > I'm sorry for this dumb question, which may have > been answered many times. > > Where should one place an TippingPoint Unity 50 IPS > device? Behind or in > front of a firewall? > > I have a/the TippingPoint behind a Check Point > firewall. Even though we > externally and internally port-scanned the firewall > and the IPS many times, > the activity log did not contain any record of the > "attacks". > > What am I missing here? Any pointers are > appreciated. > > Thanks, > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > ------------------------------------------------------------------------ > > Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
