On 6/10/2009 11:24 AM, [email protected] wrote: > Hi, > > I'm new to IDS/IPS... > > Suppose a company has a large network, which is divided into several > sub-network segments. Due to finance or staffs restrictions, the company > could only use a limited number of sensors, hence leave some internal > sub-networks unmonitored. I guess this is quite common in real world right? > > So, if I were an inside attacker, I may find out sensor locations (either > physical of logical locations) by fingerprinting the sensors as discussed in > some previous threads or whatever tricks. Means I will know which > sub-networks are monitored and others are not, right? So that I can launch > attacks to those unmonitored network segments without being detected. > > Does this sound plausible? And what current IDS/IPS technologies can be used > to against this? > > Thanks > > > > What you describe is very plausible. However, a lot of modern enterprise networks have some sort of other technologies to complement their NIDS (or lack of a NIDS) deployment. These technologies could include:
- netflow/anomaly detection - web application firewalls - log analysis tools - host based IDSes on servers - firewalls So the real question might not be if they have or don't have a NIDS, it might be if anyone in that part of the network is actually looking and monitoring events for insider attacks, worm outbreaks, .etc. Ron Gula Tenable Network Security
