In many deployments, the management interfaces are in a different logical zone than those interfaces which are actually monitoring vs. inspecting... So I would say that while there is some plausibility to your scenario, its really in the configuration and deployment strategy of the IDS/IPS that allows it to go undetected. In a nutshell, an insider never really knows where the true "monitor windows" are without sufficient need to know (operational support role...etc.) especially if the IDS is configured to not do reverse DNS lookups, as it should be.
Tommy ----- Original Message ----- From: [email protected] To: [email protected] Sent: Wednesday, June 10, 2009 11:24:44 AM GMT -05:00 US/Canada Eastern Subject: An insider attack scenario Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
