Uploaded byponealmickelson
PPTX, PDF689 views

Evaluating Intrusion Prevention Systems with IPS Testing

The document discusses the importance of validating intrusion prevention systems (IPS) for resilience under difficult network conditions, emphasizing the need for realistic testing against various traffic loads and current vulnerabilities. It outlines a methodology for testing IPS effectiveness, including simulating maximum session loads and a range of attack scenarios. The use of advanced testing tools like BreakingPoint is recommended for ensuring comprehensive security evaluation and performance validation.

Embed presentation

Downloaded 28 times
Validating Intrusion Prevention Systems1
Why Validate IPS Resiliency?Product comparisonObjectiveRealistic yet repeatableQualitativeDeterministicUnderstand the impact of upgrades Impact on performanceImpact on securityImpact on other devicesUnderstand the impact of various loads High data rateHigh session setup rateHigh concurrent session level on various functions of the device2
Why Care About “Difficult Conditions”?What is your load?Peak load is your MOST important load, figure it out and test with it.The network is ever changingYouTube was introduced 3 years ago and now makes up 28% of Internet Traffic (T-Mobile).The average HTTP transaction went from 450 bytes to more than a megabyte.New applications are introduced EVERY day. It is dangerous out thereThousands of vulnerabilities & strikes, MORE introduced each day.Traditional tools are insufficientHard-to-use, not powerful enough, non-realistic traffic and rarely up-to-date.
How to Validate IPS ResiliencyStatic content is necessary but insufficientNot just HTTP, but Flash over HTTP. Not just SMTP, but IMAP, POP3, Gmail and Hotmail.Use the worst case scenario for sessionsFind out the maximum number of sessions ever and double it.Run every Microsoft attack from the last 3 yearsYou are using mostly Microsoft, are you sure every server is patched?Your IPS should block 100% of the attacks.Run every security strike you can get your hands onThe more the better.Keep up to date on the latest strikes.Simulate evasions, obfuscation, DDoS, botnets…4
BreakingPoint IPS ValidationRealism: Blended application traffic combined with live obfuscated attacks.Future-proof: The most current application protocols (P2P, Mail Services, Voice/Video, etc.) and all known security vulnerabilities.Performance: Line-rate traffic generation.Capacity: Millions of concurrent TCP sessions.Ease-of-use: All-in-one automated system, built-in traffic profiles, scalable and flexible.
BreakingPoint Systems6Download IPS Test Methodologyhttp://www.breakingpointsystems.com/resources/testmethodologiesJoin the conversationwww.breakingpointlabs.comRequest a demonstrationhttp://www.breakingpointsystems.com/demo

More Related Content

PPTX
September 2012 Security Vulnerability Session
byKaseya
 
PPTX
What the fuzz
byChristopher Frenz
 
PPTX
So Your Company Hired A Pentester
byNorthBayWeb
 
PPTX
Metaploit
byalexngchunkiat
 
PPTX
Signs of a zombie computer!
bykanika sharma
 
PDF
Top 6 Technology Threats to Your Long Term Care Organization
byGross, Mendelsohn & Associates
 
PDF
Automated Mobile Malware Classification
byzynamics GmbH
 
PPT
Viruses And Their Cures
byannperry09
 
September 2012 Security Vulnerability Session
byKaseya
 
What the fuzz
byChristopher Frenz
 
So Your Company Hired A Pentester
byNorthBayWeb
 
Metaploit
byalexngchunkiat
 
Signs of a zombie computer!
bykanika sharma
 
Top 6 Technology Threats to Your Long Term Care Organization
byGross, Mendelsohn & Associates
 
Automated Mobile Malware Classification
byzynamics GmbH
 
Viruses And Their Cures
byannperry09
 

What's hot

PPTX
Limbtec Computer Security Presentation
bylimbtec
 
PPTX
Intro to Network Vapt
byApurv Singh Gautam
 
PPT
Automated Penetration Testing With Core Impact
byTom Eston
 
PPTX
Automation of Security scanning easy or cheese?
byDmitriy Gumeniuk
 
PDF
Automation of Security scanning easy or cheese
byKatherine Golovinova
 
PDF
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
byAnant Shrivastava
 
PPT
70-272 Chapter10
byGene Carboni
 
PPT
Virus Attack & firewall by vikash mainanwal
byVIKASH MAINANWAL
 
PPT
Virus security presentation
byYoungOldLuton
 
PPT
Computer saftey adware, spyware & viruses
byRozell Sneede
 
PPTX
Computer viruses and removal techniques
bySt. Joseph Health System
 
PDF
Is av dead or just missing in action - avar2016
byrajeshnikam
 
PPTX
ATEA IT EXPO: Hit by ransomware - again
byJesper Nielsen
 
PPTX
SPI Dynamics web application security 101
byWade Malone
 
PPT
Android Firewall project
byKarunakar Singh Thakur
 
PPTX
Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done
byAlienVault
 
PPTX
Security Presenatation for Onforce Pro Town Hall
byBev Robb
 
PPTX
Spyware powerpoint
bygalaxy201
 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
 
PPTX
This is Next-Gen IT Security - Introducing Intercept X
bySophos Benelux
 
Limbtec Computer Security Presentation
bylimbtec
 
Intro to Network Vapt
byApurv Singh Gautam
 
Automated Penetration Testing With Core Impact
byTom Eston
 
Automation of Security scanning easy or cheese?
byDmitriy Gumeniuk
 
Automation of Security scanning easy or cheese
byKatherine Golovinova
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
byAnant Shrivastava
 
70-272 Chapter10
byGene Carboni
 
Virus Attack & firewall by vikash mainanwal
byVIKASH MAINANWAL
 
Virus security presentation
byYoungOldLuton
 
Computer saftey adware, spyware & viruses
byRozell Sneede
 
Computer viruses and removal techniques
bySt. Joseph Health System
 
Is av dead or just missing in action - avar2016
byrajeshnikam
 
ATEA IT EXPO: Hit by ransomware - again
byJesper Nielsen
 
SPI Dynamics web application security 101
byWade Malone
 
Android Firewall project
byKarunakar Singh Thakur
 
Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done
byAlienVault
 
Security Presenatation for Onforce Pro Town Hall
byBev Robb
 
Spyware powerpoint
bygalaxy201
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
 
This is Next-Gen IT Security - Introducing Intercept X
bySophos Benelux
 

Similar to Evaluating Intrusion Prevention Systems with IPS Testing

PDF
BreakingPoint & Stonesoft RSA Conference 2011 Presentation: Evaluating IPS
byIxia
 
PPT
Why ips slide share
byTravis Abrams
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
IPS Test Methodology
byIxia
 
PPTX
Application security in a hurry webinar
bykdinerman
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PPTX
Application Security TRENDS – Lessons Learnt- Firosh Ummer
byOWASP-Qatar Chapter
 
PDF
White Paper: Six-Step Competitive Device Evaluation
byIxia
 
PDF
Spo2 w25
bySelectedPresentations
 
PPT
Software Security in the Real World
byMark Curphey
 
PPT
Security Testing
byISsoft
 
PPS
Application Security Review 5 Dec 09 Final
byManoj Agarwal
 
PPTX
Security testing
byRihab Chebbah
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PDF
Fact vs-hype top10
byUsman Arif
 
PPTX
Top 5 Things to Look for in an IPS Solution
byIBM Security
 
PPTX
Evaluating Network and Security Devices
byponealmickelson
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
PDF
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
PPTX
Check Point sizing security
byGroup of company MUK
 
BreakingPoint & Stonesoft RSA Conference 2011 Presentation: Evaluating IPS
byIxia
 
Why ips slide share
byTravis Abrams
 
Web Application Security Testing
byMarco Morana
 
IPS Test Methodology
byIxia
 
Application security in a hurry webinar
bykdinerman
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
byOWASP-Qatar Chapter
 
White Paper: Six-Step Competitive Device Evaluation
byIxia
 
Spo2 w25
bySelectedPresentations
 
Software Security in the Real World
byMark Curphey
 
Security Testing
byISsoft
 
Application Security Review 5 Dec 09 Final
byManoj Agarwal
 
Security testing
byRihab Chebbah
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Fact vs-hype top10
byUsman Arif
 
Top 5 Things to Look for in an IPS Solution
byIBM Security
 
Evaluating Network and Security Devices
byponealmickelson
 
Security testing fundamentals
byCygnet Infotech
 
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
Check Point sizing security
byGroup of company MUK
 

Evaluating Intrusion Prevention Systems with IPS Testing

  • 1.
  • 2.
    Why Validate IPSResiliency?Product comparisonObjectiveRealistic yet repeatableQualitativeDeterministicUnderstand the impact of upgrades Impact on performanceImpact on securityImpact on other devicesUnderstand the impact of various loads High data rateHigh session setup rateHigh concurrent session level on various functions of the device2
  • 3.
    Why Care About“Difficult Conditions”?What is your load?Peak load is your MOST important load, figure it out and test with it.The network is ever changingYouTube was introduced 3 years ago and now makes up 28% of Internet Traffic (T-Mobile).The average HTTP transaction went from 450 bytes to more than a megabyte.New applications are introduced EVERY day. It is dangerous out thereThousands of vulnerabilities & strikes, MORE introduced each day.Traditional tools are insufficientHard-to-use, not powerful enough, non-realistic traffic and rarely up-to-date.
  • 4.
    How to ValidateIPS ResiliencyStatic content is necessary but insufficientNot just HTTP, but Flash over HTTP. Not just SMTP, but IMAP, POP3, Gmail and Hotmail.Use the worst case scenario for sessionsFind out the maximum number of sessions ever and double it.Run every Microsoft attack from the last 3 yearsYou are using mostly Microsoft, are you sure every server is patched?Your IPS should block 100% of the attacks.Run every security strike you can get your hands onThe more the better.Keep up to date on the latest strikes.Simulate evasions, obfuscation, DDoS, botnets…4
  • 5.
    BreakingPoint IPS ValidationRealism:Blended application traffic combined with live obfuscated attacks.Future-proof: The most current application protocols (P2P, Mail Services, Voice/Video, etc.) and all known security vulnerabilities.Performance: Line-rate traffic generation.Capacity: Millions of concurrent TCP sessions.Ease-of-use: All-in-one automated system, built-in traffic profiles, scalable and flexible.
  • 6.
    BreakingPoint Systems6Download IPSTest Methodologyhttp://www.breakingpointsystems.com/resources/testmethodologiesJoin the conversationwww.breakingpointlabs.comRequest a demonstrationhttp://www.breakingpointsystems.com/demo

Editor's Notes

  • #3 It’s no secret that product capabilities and performance numbers are promoted using best case traffic conditions, conditions rarely seen in the real world.Yet, IPS devices performance and capabilities will vary widely based on the traffic encountered in your network.Deploying a new IPS or updated IPS without validating for resiliency is a surefire way to introduce vulnerabilities into your hardened critical infrastructure. There are several reasons for validating Intrusion Prevention Systems using BreakingPoint. First is to perform an “apples to apples” comparison between several devices to find one that best meets the requirements of a particular application. The data derived from any test must be objective, realistic and repeatable, qualitative, and deterministic. PRNG plays a critical role in ensuring accurate results from product bakeoffs because it allows buyers to level the playing field with randomly generated yet repeatable traffic. But this is only part of the value of PRNG. It also eliminates the possibility that devices under test can be programmed to recognize and react to codes embedded in test traffic. An example of this includes traditional testing products that brand their exploits with trademarks or other recognizable content. Vendors can easily exploit this code by programming their products to recognize the code and trigger filters to easily pass product validation. While it may appear that these products are working as promised, this is no indication that the equipment is capable of recognizing and filtering real security attacks in a production network. This is an artificial technique used to demonstrate capabilities that provides a false sense of security. Then, there is resiliency testing to validate devices before deploying into hardened IT infrastructures. Organizations should look for the appropriate resiliency score when purchasing or validate resiliency by conducting realistic and thorough product evaluations to mitigate risk of changes to networks, improve performance and security coverage, and reduce costs. The third purpose of testing is to understand the impact an upgrade will have on an IPS already deployed in the network. Update are notorious for changing the performance characteristics of a device. It is possible that an improvement in security detection will affect the throughput or latency of a device. Finally it is important to understand the impact of various loads (e.g., high data rate, high session setup rate, and high concurrent session level) on various functions of the device. Most interesting would probably be the impact on the accuracy of attack detection (both false positives and false negatives). Management interface responsiveness, reporting, and other functions may be impacted as well. In each instance, real network traffic simulation at increasingly high performance levels is key to validating today’s IPS’s before deploying into hardened infrastructures.
  • #4 In reality, difficult conditions are simply the traffic your IPS is going to see on a daily basis. If not today, certainly tomorrow.
  • #5 Static content is necessary but insufficientProtocol changes between applicationsChanges affect data ratesSecurity attacks are dynamic by natureSecurity attacks are intentionally evasive – many Intrusion Prevention Systems (IPS) cannot detect evasionsTraditional techniques present challengesEver changing real exploits and targetsLarge labs, massive hardware, and expensive software to scale to today’s performance requirementsPCAPs and synthetic traffic not effectiveDesigned for shells, not testing
  • #6 There are several reasons for validating Intrusion Prevention Systems using BreakingPoint. First is to perform an “apples to apples” comparison between several devices to find one that best meets the requirements of a particular application. The data derived from any test must be objective, realistic and repeatable, qualitative, and deterministic. PRNG plays a critical role in ensuring accurate results from product bakeoffs because it allows buyers to level the playing field with randomly generated yet repeatable traffic. But this is only part of the value of PRNG. It also eliminates the possibility that devices under test can be programmed to recognize and react to codes embedded in test traffic. An example of this includes traditional testing products that brand their exploits with trademarks or other recognizable content. This is no indication that the equipment is capable of recognizing and filtering real security attacks in a production network. This is an artificial technique used to demonstrate capabilities that provides a false sense of security.