[email protected] wrote: > Hi, > > I'm new to IDS/IPS... > > Suppose a company has a large network, which is divided into several > sub-network segments. Due to finance or staffs restrictions, the company > could only use a limited number of sensors, hence leave some internal > sub-networks unmonitored. I guess this is quite common in real world right? > Not many organisations have spent money (or committed time) on monitoring their internal networks other than for basic availability (e.g. disk space, CPU load). Of those that have, experience suggests that the majority haven't dedicated enough time understanding the nature of the network activity inside their network to make monitoring efficient against anything but loud, obvious attacks or things that can be correlated against out-of-the-box.
> So, if I were an inside attacker, I may find out sensor locations (either > physical of logical locations) by fingerprinting the sensors as discussed in > some previous threads or whatever tricks. Means I will know which > sub-networks are monitored and others are not, right? So that I can launch > attacks to those unmonitored network segments without being detected. > > Does this sound plausible? And what current IDS/IPS technologies can be used > to against this? > > Thanks > As suggested in an earlier reply, if you know where the sensors are, you can flood them with traffic or run at a rate below their threshold. However, you're probably going to find that they're just looking for known virus or other malware-based activity. If you are an insider with knowledge of the system, the likelihood is that you will be targeting your attack and will remain below the radar. Some of this can be mitigated by designing the security solutions by assessing risk prior to deciding on a monitoring solution. If you assume that an attacker can be inside or outside your perimeter, you can start to address the risks accordingly; pick your favourite mix of solutions that include IDS/IPS, SIEM, etc. *as well as* a good set of audited policy statements. Regards, Nick Besant
