Assaulting IPS

Craig Williams, Mike Caudill & Kevin Timm, Cisco Systems

Register Now // july 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


When testing an intrusion prevention system (IPS), security engineers tend to evaluate speed, accuracy, and ease of use. Although speed and ease of use are important for a security device, customers are paying for protection; thus, the accuracy of the signature base is critical. Evasion techniques are constantly evolving, it is imperative that IPS devices have the ability to detect both ordinary exploits and their obfuscated cousins.

This hands-on course will cover everything from older, well understood evasion techniques to newer, cutting edge ones. We will apply these techniques using penetration testing tools and public proof-of-concept exploit code. The purpose of this course is to learn to test any IPS, not expose a flaw of a specific vendor. To that end the actual IPS devices we are testing will not be identified.

Students will learn how to modify attacks to accurately evaluate the detection capability of a device. Emphasis will be placed on determining if a signature is specific to a vulnerability or exploit, as well as its resistance to additional layers of evasions. The course will also cover the intricacies of performance testing and the impact that a heavy load can have on an IPS. Newer technologies such as reputation will be discussed as they apply to detection.

By the end of the course, students will have detailed knowledge of evasion techniques and be able to properly gauge the performance of a device and avoid IPS testing pitfalls. The key factor in successful IPS testing is having properly trained, knowledgeable staff conducting the test. With the ever-present threat to network security, it is imperative to fully understand the level of protection that an IPS device provides and the level of insight required to maximize its capabilities.

teaching methods:

Lecture, group exercises, and demos.

Student Requirements, experience/expertise

  • Basic IPS experience required with a major IPS platform (Cisco, TippingPoint, ISS, Sourcefire, Entrasys, etc.)
  • Basic shell scripting programming experience is recommended.
  • Basic familiarity with VMWare products.
  • Basic regular expression familiarity.
  • Optional: While Ruby/Python/Perl experienced is not a prerequisite, students with this background will probably be more comfortable with the material.

What to bring:

A laptop capable of running vmware infrastructure client (aka windows or windows vm) or RDP

What we provide:

  • Copy of slides
  • Remote access to 2 VMware infrastructure servers (hosting attacker & victim vm’s) setup on an inline IPS network
  • 3 switches (assuming 3 rows of tables 1 switch per table)
  • Cisco IPS
  • 30 Ethernet cables
  • Traffic generator capable of dosing an ips


Craig Williams is a senior research engineer for Cisco Systems where he is part of the Cisco Security Research & Operations organization. Craig specializes in exploit and malware analysis, reverse engineering, IPS signature design, vulnerability research, attack obfuscation and evasion, and network programming. Since joining Cisco in 2004, Craig has made significant contributions to the IPS signature team including a pending patent involving obfuscated traffic inspection. His current research involves malware, specifically improving the detection and mitigation of botnets.

Mike Caudill is a Program Manager and Incident Manager for Cisco Systems where he is part of the Cisco Security Research & Operations organization. Since joining Cisco in 1998, Mike has worked as an Incident Manager for the Cisco PSIRT where he responded, resolved, and disclosed security vulnerabilities in affected Cisco products. Mike has held leadership roles in both FIRST and ICASI, international organizations whose missions focus on vulnerability and security incident response in order to improve the state of security on the Internet. Mike has a relentless passion to protect customers and Internet users from vulnerabilities and attacks and today is helping to find new ways to detect, identify, mitigate, and respond to those attacks.

Kevin Timm is a security researcher at Cisco Systems where he is part of the Cisco Security Research & Operations organization. Kevin’s current work focuses the automation of malware analysis using virtualization. Over the past decade, Kevin has authored several security-related white papers and articles as well as presented at Cisco Networkers. Prior to joining Cisco in 2004, Kevin held senior roles in the Managed Security and Managed Hosting industries.

Super Early:
Ends Apr 1

Ends May 15

Ends Jun 15

Ends Jul 23