Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
An IPS is very valuable both in protecting a DMZ and in protecting
internal assets. However, it is not a panacea. A secure network
topology should include department firewalls separating off subnets
that have different access restrictions and individual hosts should be
secured as well.

So, even if the IPS administrator was your internal attacker he or she
should not be able to gain unauthorized access because other measures
are in place.

To be honest an internal IPS would be one of the last security devices
I would invest in when securing an internal network.

-J

On Jun 10, 2009, at 8:24 AM, pamaclark (at) yahoo (dot) com [email concealed] wrote:

> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several
> sub-network segments. Due to finance or staffs restrictions, the
> company could only use a limited number of sensors, hence leave some
> internal sub-networks unmonitored. I guess this is quite common in
> real world right?
>
> So, if I were an inside attacker, I may find out sensor locations
> (either physical of logical locations) by fingerprinting the sensors
> as discussed in some previous threads or whatever tricks. Means I
> will know which sub-networks are monitored and others are not,
> right? So that I can launch attacks to those unmonitored network
> segments without being detected.
>
> Does this sound plausible? And what current IDS/IPS technologies can
> be used to against this?
>
> Thanks
>
>

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?t0?-0??  ª:§wÔУ§Ç+i?´O}0
 *?H?÷
0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080929165059Z
090929165059Z0?10UBennett10
U*Jeremy10UJeremy Bennett1!0 *?H?÷
 jeremy (at) deities (dot) org1 [email concealed]0 *?H?÷
 jeremyfb (at) mac (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?Å]?!f¦¾ïaW??"`.oß WX#WCõ
1Äk_åàì×|
<µäTRn0?(ÕZh+8ØÓéåkï&Ëêáoõ[gç ¨º=,Á
¶0ªAâ
XéâÎã?½A$Bj±¯d?oß?·âWO©¢ý?A?¼*a?ènӝ££°^ð?ágÝ?ÇO]]?èÖ;?NBv;<ÐÞPL\»À?
K?Pk ?67 b-ltÖzÆ0¼î$ó$`)ð}?NhÓ.cZìK?¨ ««Wû?Ñùð­];hz??CØÎ-LQ
¦K?¼\º}ØEos«;®?g±LZ?ُ£A0?0/U(0&jeremy (at) deities (dot) org [email concealed]jere
myfb (at) mac (dot) com0 [email concealed] Uÿ00
 *?H?÷
`ÿp`ª6?ù8?¥z?[w*¨äáY½. Å[rF³ *º³-áþb`½/Vñ/??@¬æø-¢{=Шà¢kqf¶K´^¼b+Ç¢?zÐfÂÞ'@?üM
Ãýå?ê¤bM×/Q¬Æq?7˧º3?hj?Iá~õèøh)*à0??0?¨ 
0
 *?H?÷
0Ñ1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting1(0&U Certification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
 personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½ :aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯< çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0 U0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷
H?ÑP?ê .Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å ?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0? 0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0 + ?o0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
090610175533Z0# *?H?÷
 1Ukï 0à5QP?Ë-μµó'0? +?71x0v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0? *?H?÷
  1x v0b1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA ª:§wÔУ§Ç+i?´O}0
 *?H?÷
?^ßî¯3Þ¦p?¿vøE]k~T'Áà/ãS2©7uÎZÕ?éBÀÞº_¡[øh6û ?c¹ìã¶1?c Wý?ãz=èò¼äì}N¨qËÚ"?enx`<Å?ç¾Ö|Ú
?°ë¾<C½à(n_
?öÄ.k»$?ùêâc?$(lÉï<0r]}¦&?ôå½wºZ¶g?Q0?Û?ÃޏKé?ïg?¾ qáSÜ?=Û~M @0
È£î¶7¦ôÖÅ?3,kÙï?L~0&?'ïB¯\8Ú´3?'ë??
$ûÿ  Hm£?Fö,ãÑö8?qRÿ?Ý

[ reply ]
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus