-
1
- #1
For those that have to review IPS solutions this may help tremendously. I have not used this so I cannot comment at this point on it but found it very interesting (and free). If anyone has used it please comment.
Cheers
---------------------------------------------------
*OPEN-SOURCE IPS TESTING TOOL RELEASED
Free tool can gauge effectiveness, performance of IPS devices.
By Victor R. Garza, Contributing Writer
Ever wanted to know how effective a network-based intrusion
prevention system (IPS) appliance was before putting it into
production? Or, if you have them now, how well yours is doing?
TippingPoint, an IPS vendor, is the first to make an IPS testing tool
freely available for testing any IPS or intrusion detection system
(IDS). Available via open source, the tool, called Tomahawk, was
recently announced and is currently available for download at
"TippingPoint is contributing Tomahawk to the public to make IPS
testing easier and more affordable for end users," TippingPoint's CTO
Marc Willebeek-LeMair said in a statement.
While IDS products simply notify administrators to potentially
harmful or malicious network traffic, IPS devices work inline with
the traffic and drop malicious or unwanted packets.
Determining effectiveness of IDS or IPS devices is difficult, as
these network devices usually operate as black boxes, detecting
malicious network actions based on rule sets or anomaly-based
behaviors on the network.
Testing performance characteristics of IPS devices, while secondary
to effectiveness, is still important. If traffic that passes through
an IPS exceeds the device threshold, does it let malicious traffic
onto the internal network? Another concern is the level of false
positives. Because there's also the potential for blocking legitimate
traffic, default settings on most IPSes err on the side of letting
malicious traffic onto the network instead of accidentally stopping
legitimate traffic.
Tomahawk can be leveraged to insure that IPS devices are working as
advertised. Requiring a dedicated server with three network
interfaces, the traffic capture component of Tomahawk "is like
TCP-Replay on steroids," said Tomahawk author Brian Smith, who's
TippingPoint's director of advanced solutions. He also alluded to
Tomahawk's ability to mix and replay a variety of real-world traffic
through the IPS undergoing testing.
While Tomahawk has been in testing and deployment at TippingPoint
since 2002, it has only been recently released to the public. Being
open source, Tomahawk has the potential to be a sort of self-imposed
monitor for testing IPS devices -- allowing other IDS and IPS vendors
to take up the torch and "potentially use Tomahawk to make an
industry benchmark for these types of network and security devices,"
said Smith.
Cheers
---------------------------------------------------
*OPEN-SOURCE IPS TESTING TOOL RELEASED
Free tool can gauge effectiveness, performance of IPS devices.
By Victor R. Garza, Contributing Writer
Ever wanted to know how effective a network-based intrusion
prevention system (IPS) appliance was before putting it into
production? Or, if you have them now, how well yours is doing?
TippingPoint, an IPS vendor, is the first to make an IPS testing tool
freely available for testing any IPS or intrusion detection system
(IDS). Available via open source, the tool, called Tomahawk, was
recently announced and is currently available for download at
"TippingPoint is contributing Tomahawk to the public to make IPS
testing easier and more affordable for end users," TippingPoint's CTO
Marc Willebeek-LeMair said in a statement.
While IDS products simply notify administrators to potentially
harmful or malicious network traffic, IPS devices work inline with
the traffic and drop malicious or unwanted packets.
Determining effectiveness of IDS or IPS devices is difficult, as
these network devices usually operate as black boxes, detecting
malicious network actions based on rule sets or anomaly-based
behaviors on the network.
Testing performance characteristics of IPS devices, while secondary
to effectiveness, is still important. If traffic that passes through
an IPS exceeds the device threshold, does it let malicious traffic
onto the internal network? Another concern is the level of false
positives. Because there's also the potential for blocking legitimate
traffic, default settings on most IPSes err on the side of letting
malicious traffic onto the network instead of accidentally stopping
legitimate traffic.
Tomahawk can be leveraged to insure that IPS devices are working as
advertised. Requiring a dedicated server with three network
interfaces, the traffic capture component of Tomahawk "is like
TCP-Replay on steroids," said Tomahawk author Brian Smith, who's
TippingPoint's director of advanced solutions. He also alluded to
Tomahawk's ability to mix and replay a variety of real-world traffic
through the IPS undergoing testing.
While Tomahawk has been in testing and deployment at TippingPoint
since 2002, it has only been recently released to the public. Being
open source, Tomahawk has the potential to be a sort of self-imposed
monitor for testing IPS devices -- allowing other IDS and IPS vendors
to take up the torch and "potentially use Tomahawk to make an
industry benchmark for these types of network and security devices,"
said Smith.
Nice find too.