Hi Leea, Off the top of my head, a couple of other elements that we check on are:
1. Inappropriate tuning - too much. Where certain signatures are tuned out that really shouldn't be, this could easily form an entire topic in it's own right and is my pet hate. This could mean that a signature is disabled entirely or the filtered addresses are too broad. My suggestion is for a second set of eyes to validate the tuning within a defined period. 2. Inappropriate tuning - too little. Where the deployment hasn't been tuned and the analysts cannot see the wood for the trees. 3. Effective blocking. Where IPS is deployed is blocking set correctly i.e. not too strict so as to effect operations yet strict enough to counter arising threats. 4. Updatedness. How up to date is the deployment and are the update processes solid 5. Sensor coverage. Are there any gaps in coverage and does the deployment complement a defence in depth solution 6. Who and/or what is the weakest link Good Luck Andy Cuff Computer Network Defence Ltd www.SecurityWizardry.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: 30 May 2007 23:45 > To: [email protected] > Subject: Threats to IDS/IPS deployments > > I'm performing a risk assessment for a commercial IPS > deployment at my place of work. The scope of the assessment > is limited to how we implemented and deployed the product - > not how the product works. Some areas that I will be > reviewing include authentication and authorization to the > sensors and management systems, backup of data and > configuration settings, hardening of the sensors/systems, and > best practices such as testing signatures prior to > installation into production. I apologize if this is the > wrong place to post. I'm looking for input from this list as > to current threats against IPS/IDS installations as well as > other areas to review during my assessment. Thanks! > > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world > attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impa > ct&campaign=intro_sfw > to learn more. > -------------------------------------------------------------- > ---------- > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
