Those tools will see what you do. And if the Firewalls and IPS and HIPS and NAC cooperate with a SIM/SIEM* than you 'have to run'! :-)
My example from the future:
1. The switch realise a new port activated -> sign it to SIM
2. The NAC realise your scan (or any unusual things) from the newly opened port -> sign it to SIM
3. The HIPS on host realises the scan (or any unusual things) as well -> sign it to SIM and to the Firewall
4. Firewall reacts and denies any traffic that goes through with your IP -> you may sign it
5. In the NOC** the SIM GUI is opened on a monitor and on the left corner of this monitor a camera display - from the room where the port is patched - appears
6. The camera sees you, the security guard get a phone call from NOC
7. I wake up from my sweet dreams :-)
-----Ursprüngliche Nachricht-----
Von: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Im Auftrag von pamaclark (at) yahoo (dot) com [email concealed]
Gesendet: Mittwoch, 10. Juni 2009 17:25
An: focus-ids (at) securityfocus (dot) com [email concealed]
Betreff: An insider attack scenario
Hi,
I'm new to IDS/IPS...
Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
Have you heard about NAC and HIPS?
http://en.wikipedia.org/wiki/Network_Access_Control
http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system
Those tools will see what you do. And if the Firewalls and IPS and HIPS and NAC cooperate with a SIM/SIEM* than you 'have to run'! :-)
My example from the future:
1. The switch realise a new port activated -> sign it to SIM
2. The NAC realise your scan (or any unusual things) from the newly opened port -> sign it to SIM
3. The HIPS on host realises the scan (or any unusual things) as well -> sign it to SIM and to the Firewall
4. Firewall reacts and denies any traffic that goes through with your IP -> you may sign it
5. In the NOC** the SIM GUI is opened on a monitor and on the left corner of this monitor a camera display - from the room where the port is patched - appears
6. The camera sees you, the security guard get a phone call from NOC
7. I wake up from my sweet dreams :-)
*SIM:
http://en.wikipedia.org/wiki/Computer_security_incident_management
**NOC:
http://en.wikipedia.org/wiki/Network_operations_center
Cheers,
Akos
-----Ursprüngliche Nachricht-----
Von: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Im Auftrag von pamaclark (at) yahoo (dot) com [email concealed]
Gesendet: Mittwoch, 10. Juni 2009 17:25
An: focus-ids (at) securityfocus (dot) com [email concealed]
Betreff: An insider attack scenario
Hi,
I'm new to IDS/IPS...
Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
Thanks
[ reply ]