This sounds like a very viable solution that will allow for testing. I assume that it replays both the stimulus and response of any conversation and does not "fingerprint" the packets at any layer with the host OS TCP/IP stack (e.g. change of window size, TTL, etc)? Does the product automatically adapt to replay source and destination traffic based upon reading a libpcap file or do you have to configure the networks per card?
Has anyone else used this or a similar product in their testing or other security product tests? What issues did you encounter? Thanks for the feedback, -VT > One of the ways that you could test safely is by using something like > Traffic IQ Pro or a similar product. It is a stateful traffic replay tool > and can be used to test any inline or packet monitoring device. > > The product uses two network cards and so the library of over 700 normal and > threat traffic files can be replayed statefully without the need to connect > to a live target system. This allows for live production systems to be > testing for the correct configuration really quickly and easily. > > I have been involved in working in this area for a number of years now and > my previous company was Blade Software where I developed IDS Informer and > Firewall Informer to provide similar testing capabilities. > > Information on Traffic IQ Pro is available below should you want to take a > look. > http://www.karalon.com/Karalon/TrafficIQ/TrafficIQ.htm > > Working with testing labs and a number of security and networking vendors > has enabled Traffic IQ Pro to be a really useful tool for anyone who wants > to check the configuration of their firewalls, IPS, IDS, routers, switches > etc and see how those devices perform under different scenarios. > > Tony > > Tony Haywood > www.karalon.com > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 29 October 2005 20:40 > To: [email protected] > Subject: Re: Intrusion Prevention requirements document > > Another question for everyone, > When you brought in each vendor for evaluation, did you configure a test > network for them or did you use your production network? My 1st concern is > keeping my job :o) If I test in production, I could impact production > traffic. If I don't test in production, how can I best ensure that I won't > have problems with custom applictions, older IP stacks which could be an > issue if RFC compliance checks are done, etc. > The vendor answer is always, "don't turn on blocking and just monitor." Is > that a reality? I'd like some testimonials to this and some real life > instances of what has been done from unbiased sources. > > Thanks, > > VT > > > > All, > > > > I work on a team that manages signature and behavioral based intrusion > > detection systems today. We have been tasked with reviewing IPS (or > > whatever vendor name acronym you prefer) in '06. Our normal process > > is to put together a base requirements document to weed out vendors in > > the first round through a paper excercise and then bring in the best > > we can identify. My question is, has anyone developed a matrix that > > identifies key qualifiers in an IPS solution (e.g. in-line, fails > > open/closed, reporting features, etc.). If so, could you provide links or > the documents? > > > > If not, what categories are most significant to consider in your > > expert opinions? What reasons did you choose the solution you have? > > What would you consider if you had to choose over again, etc? > > > > Thanks in advance for your responses. > > > > VT > > > > ---------------------------------------------------------------------- > > -- > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it with real-world attacks from > > CORE IMPACT. > > Go to > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > ---------------------------------------------------------------------- > > -- > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from CORE > IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
