June 16th, 2006, 03:52 AM
Simple way to test an IPS device
Let me preclude this discussion by saying that I am fairly new to security. I know the basics but nothing advanced.
Here is the situation: We are currently testing ISS's Proventia GX4002 IPS device on our production corporate network. The device is running in simulation mode, meaning that it is not blocking any traffic but it will tell you what traffic would have been blocked. The device is sitting directly behind our firewall inspecting all traffic in and out of it. There are going to be two other devices that we evaluate as well. ( McAfee and Juniper )
Besides getting a feel for the GUI layout and playing with the settings. I would like to run a simple test against all three of the devices. I want to send it known exploit traffic and see how it reacts. Logging the reaction from all three devices will help in the evaluation.
My question is how can I do this? What is a simple exploit or vulnerability that I send to my network that will pass the firewall and hopefully get logged by the IPS. Maybe something over port 80 to get through the firewall?
Maybe I'll have to send the exploit from a machine on the LAN out. Then I will be hitting the IPS device first before the firewall.
My brain is mush from all this thinking.......
Please set me straight.....
Thanks in advance for the tips....
June 16th, 2006, 04:17 AM
Sounds like a job for metasploit!
Check out the link...
We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
And we are slowly learning this fact...And we are VERY pissed off about it!
June 16th, 2006, 02:16 PM
I don't know what your remit or terms of reference are, but I would guess that your first move is familiarisation and confirming compatibility. It sounds as if you have been doing this.
When you start looking at detection and logging I would be inclined to try it without the firewall. After all, it is the IPS you are testing, and that would make things simpler?
I would only try them together as a sort of phase 3 of your testing.
June 17th, 2006, 11:38 AM
check out the tomahawk IPS test tool - http://www.tomahawktesttool.org/ Throwing one attack at a time through the IPS is going to let you know if it has the capability to block that specific attack, what you also want though is to know that your IPS can block multiple attacks coming at the same time, or 1000 instances of the same attack etc.. and metasploit will not do this on its own.
Using tomahawk you replay TCPdump captures of attacks and see what happens. So perhaps launch an attack using metasploit, capture it with tcpdump, then replay, and then repeat.
Quis custodiet ipsos custodes
June 18th, 2006, 02:53 PM
Blade Software makes an IDS/IPS testing tool.
However, the most important thing you can do for testing an IPS is full content. Just throwing a packet at the IPS with the exploit in it is pointless. You have to be able to throw full session conversations at it. Use fragroute. Break the attack up across several packets. This is really the only way to truly test an IPS.
Oh, and do this billions of times.