[unisog] IPS

Jordan Wiens numatrix at ufl.edu
Tue Feb 8 18:43:49 GMT 2005


It mostly depends on how an IPS is configured.  If an IPS is configured to 
block only maliciously detected traffic, it doesn't matter whether the 
packets are spoofed or not, the only blocked ones will be ones detected as 
malicious.

The IP spoofing issue is often brought up as a downside to IPS, and while 
it's something to consider, it's 1) not really all that common, and 2) not 
that big a deal to make sure you can handle correctly.  For example; only 
enable blocking of remote IPs when the triggered event involves a full TCP 
flow which isn't easily spoofable, or, as I mentioned above, configure the 
IPS to not do any follow-on blocking, but only block malicious traffic 
itself.

-- 
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

On Tue, 8 Feb 2005, Dave Ellingsberg wrote:

> One item not discussed is possible DoS against major customers of your
> institutions.  If addresses are spoofed in an attack against your
> institution with addresses of your major users does this cause an
> interruption of service to your major customers.  Has anyone experienced
> this sort of attack against an IPS service?
>
> bigfoot
>
> | Wes,
> |
> | What are your requirements?  IDS or IPS might not be the best
> answer,
> | depending on what you want to do.  Network Based Anomaly Detection
> might
> | better fit the bill, as it did for us (with QRadar).
> |
> | What do you need the tool to do?
> |
> | -Dan
> |
> | _________________
> | Daniel Adinolfi, CISSP
> | Senior Security Engineer, IT Security Office
> | Cornell University - Office of Information Technologies
> | email: dra1 at cornell.edu   phone: 607-255-7657
> |
> | _______________________________________________
> | unisog mailing list
> | unisog at lists.sans.org
> | http://www.dshield.org/mailman/listinfo/unisog
> |
> |
>
> - --
> Wes Young
> Network Security Analyst
> University at Buffalo
> GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFCCL711M5o0FsrrbERAmX8AJ9leC5BNBRmoPJ+hW81jed/H15QrgCgnA3T
> Ef1PqLo4kUXPdCgRcSXc3fc=
> =fdwu
> -----END PGP SIGNATURE-----
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>



More information about the unisog mailing list