[email protected] wrote:
Hi,
I'm new to IDS/IPS...
Suppose a company has a large network, which is divided into several
sub-network segments. Due to finance or staffs restrictions, the company could
only use a limited number of sensors, hence leave some internal sub-networks
unmonitored. I guess this is quite common in real world right?
So, if I were an inside attacker, I may find out sensor locations (either
physical of logical locations) by fingerprinting the sensors as discussed in
some previous threads or whatever tricks. Means I will know which sub-networks
are monitored and others are not, right? So that I can launch attacks to those
unmonitored network segments without being detected.
Does this sound plausible? And what current IDS/IPS technologies can be used to
against this?
Thanks
From - Wed
You may be able to fingerprint what subnet is not being monitored,
however, is the subnet that YOU are on being monitored? In that case
you are caught either way.
As for detection of this kind of thing, there are several solutions for
that:
<my own company>
RNA -- Real Time Network Awareness
</my own company>
Anomaly detection software and passive awareness software. There are a
couple out there.
--
joel esler | Sourcefire
