RE: Intrusion Prevention requirements document

From: Arun Vishwanathan (arun.vishwanathan@nevisnetworks.com)
Date: Sun Nov 06 2005 - 00:18:52 EST


Hi VT,

I have used IDSInformer myself for testing and it is a very good
product. There is a similar free tool (but lacks certain features)
called Tomahawk which was released by Tippingpoint some time back.
(http://tomahawk.sourceforge.net/)

The working of these tools is very simple. You have to assign two
interfaces. The tools consider one interface as "client" and other
interface as the "server". The PCAP can be easily split into two parts,
client traffic and server traffic. Consider the following simple packet
sequence (A and B are IP addresses).
       
1. A -> B SYN (client)
2. B -> A SYN-ACK (server)
3. A -> B ACK (client)

Packet 1 is first sent out on client interface. The packet is expected
to arrive on interface 2 within a certain timeout. On receipt of packet
1, packet 2 is sent out on interface 2. Then packet 3 is sent out on
interface 1 on receipt of packet 2 and so on. They make the IDS believe
that it is seeing a real traffic situation.

In informer, you can change the MAC, IPs, Sport, Dport of the packets.
In tomahawk you can only change the IPs at present but if you want to
you can easily modify the code as its very simple. There is no need to
configure any networks on the interfaces etc. Infact the IPs, MACs can
be spoofed because it really doesn't matter.

Tomahawk has one limitation that it cannot test a Layer 3 device because
it lacks support for specifying the source gateway MAC and Destination
gateway MAC. It can test only Layer 2 devices. Informer can be used in
both L2 and L3 situations.

In my opinion, both tools are great. I have used and am using both tools
extensively. Informer also has an evaluation version. You can download
it and try for yourself. For both the tools very little configuration is
required.

Hope I was able to clear some of your doubts.

Regards,
Arun

-----Original Message-----
From: vendortrebuchet@comcast.net [mailto:vendortrebuchet@comcast.net]
Sent: Sunday, November 06, 2005 6:11 AM
To: thaywood@karalon.com; focus-ids@securityfocus.com
Cc: Tony Haywood; pen-test@securityfocus.com
Subject: RE: Intrusion Prevention requirements document

This sounds like a very viable solution that will allow for testing. I
assume that it replays both the stimulus and response of any
conversation and does not "fingerprint" the packets at any layer with
the host OS TCP/IP stack (e.g. change of window size, TTL, etc)? Does
the product automatically adapt to replay source and destination traffic
based upon reading a libpcap file or do you have to configure the
networks per card?

Has anyone else used this or a similar product in their testing or other
security product tests? What issues did you encounter?

Thanks for the feedback,
-VT

> One of the ways that you could test safely is by using something like
> Traffic IQ Pro or a similar product. It is a stateful traffic replay
tool
> and can be used to test any inline or packet monitoring device.
>
> The product uses two network cards and so the library of over 700
normal and
> threat traffic files can be replayed statefully without the need to
connect
> to a live target system. This allows for live production systems to be
> testing for the correct configuration really quickly and easily.
>
> I have been involved in working in this area for a number of years now
and
> my previous company was Blade Software where I developed IDS Informer
and
> Firewall Informer to provide similar testing capabilities.
>
> Information on Traffic IQ Pro is available below should you want to
take a
> look.
> http://www.karalon.com/Karalon/TrafficIQ/TrafficIQ.htm
>
> Working with testing labs and a number of security and networking
vendors
> has enabled Traffic IQ Pro to be a really useful tool for anyone who
wants
> to check the configuration of their firewalls, IPS, IDS, routers,
switches
> etc and see how those devices perform under different scenarios.
>
> Tony
>
> Tony Haywood
> www.karalon.com
>
>
> -----Original Message-----
> From: vendortrebuchet@comcast.net [mailto:vendortrebuchet@comcast.net]

> Sent: 29 October 2005 20:40
> To: focus-ids@securityfocus.com
> Subject: Re: Intrusion Prevention requirements document
>
> Another question for everyone,
> When you brought in each vendor for evaluation, did you configure a
test
> network for them or did you use your production network? My 1st
concern is
> keeping my job :o) If I test in production, I could impact production
> traffic. If I don't test in production, how can I best ensure that I
won't
> have problems with custom applictions, older IP stacks which could be
an
> issue if RFC compliance checks are done, etc.
> The vendor answer is always, "don't turn on blocking and just
monitor." Is
> that a reality? I'd like some testimonials to this and some real
life
> instances of what has been done from unbiased sources.
>
> Thanks,
>
> VT
>
>
> > All,
> >
> > I work on a team that manages signature and behavioral based
intrusion
> > detection systems today. We have been tasked with reviewing IPS (or

> > whatever vendor name acronym you prefer) in '06. Our normal process

> > is to put together a base requirements document to weed out vendors
in
> > the first round through a paper excercise and then bring in the best

> > we can identify. My question is, has anyone developed a matrix that

> > identifies key qualifiers in an IPS solution (e.g. in-line, fails
> > open/closed, reporting features, etc.). If so, could you provide
links or
> the documents?
> >
> > If not, what categories are most significant to consider in your
> > expert opinions? What reasons did you choose the solution you have?

> > What would you consider if you had to choose over again, etc?
> >
> > Thanks in advance for your responses.
> >
> > VT
> >
> >
----------------------------------------------------------------------
> > --
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks
from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> >
----------------------------------------------------------------------
> > --
> >
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
CORE
> IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
>
------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT