recommendations regarding IPS
Hi, hope not bothering you but I'm looking for some experiences with IPS systems. There are several vendors but is there a recommandation or some tests? As Service provider we need a system which handles the scanning in hardware and it should work as a layer2 bridge (no IP). Stefan -- Stefan Hegger Lycos Europe GmbH Carl-Bertelsmann Str. 21 Postfach 315 33311 Guetersloh email:Stefan.Hegger@lycos-europe.com Tel: +49 5241 80 71334 FAX:+49 5241 80671334 Mob:+49 170 1892720
"Hegger, Stefan" <Stefan.Hegger@lycos-europe.com> writes:
hope not bothering you but I'm looking for some experiences with IPS systems. There are several vendors but is there a recommandation or some tests? As Service provider we need a system which handles the scanning in hardware and it should work as a layer2 bridge (no IP).
what speed, what problem are you trying to solve, and what do you mean by "in hardware"? no fpgas? :) ---rob
Hi On Fri, 2006-03-31 at 08:50 -0500, Robert E.Seastrom wrote:
"Hegger, Stefan" <Stefan.Hegger@lycos-europe.com> writes:
hope not bothering you but I'm looking for some experiences with IPS systems. There are several vendors but is there a recommandation or some tests? As Service provider we need a system which handles the scanning in hardware and it should work as a layer2 bridge (no IP).
what speed, what problem are you trying to solve, and what do you mean by "in hardware"? no fpgas? :)
We have a 2 Gbps connection with about about 200kpps in- and outgoing traffic, and I don't want to pipe the traffic through software, fpgas are ok. Our problems are DDoS and we want to have a stateful packet inspection. The system should not be "static" there should be something like anomaly detection. It should report if there is "strange" traffic. And of course the normal stuff as Intrusion detection (worms, botnets etc.) Stefan -- Stefan Hegger Lycos Europe GmbH Carl-Bertelsmann Str. 21 Postfach 315 33311 Guetersloh email:Stefan.Hegger@lycos-europe.com Tel: +49 5241 80 71334 FAX:+49 5241 80671334 Mob:+49 170 1892720
Tipping Point IPS is the gold standard these days. Signature-based, which annual fee to get the signatures. Signatures are usually weekly at a minimum. I use the Unity 50, but they do have Gbps IPS. All of their IPSes are "bump-in-the-wire" which means that you do not have to assign an address (operates at layer2 instead of layer 3). Edward W. Ray CISSP, MCSE+Security, P.E., SANS GCIA Gold, SANS GCIH Gold President NetSec Design & Consulting http://www.netsecdesign.com (714) 997-9226
Edward W. Ray wrote:
Tipping Point IPS is the gold standard these days. Signature-based, which annual fee to get the signatures. Signatures are usually weekly at a minimum. I use the Unity 50, but they do have Gbps IPS. All of their IPSes are "bump-in-the-wire" which means that you do not have to assign an address (operates at layer2 instead of layer 3).
Not to say anything about Edward, but this thread is going to be mostly full of commercial injections. Except for one network I have been in charge with I have never found the need for any I[DP]S product and find them an almost complete waste of time and money. Gadi.
Except for one network I have been in charge with I have never found the need for any I[DP]S product and find them an almost complete waste of time and money.
Agreed, they just for people to "feel" more secure. I use it because I got one free for selling a bunch to customers who needed them to satisfy various regulatory requirements. Other than SQL Slammer and the occasional HTTP PHP exploit attempts, I rarely see anything of consequence. Edward W. Ray CISSP, MCSE+Security, P.E., SANS GCIA Gold, SANS GCIH Gold President NetSec Design & Consulting http://www.netsecdesign.com (714) 997-9226
On Fri, 31 Mar 2006 16:16:29 +0200, "Hegger, Stefan" said:
We have a 2 Gbps connection with about about 200kpps in- and outgoing traffic, and I don't want to pipe the traffic through software, fpgas are ok. Our problems are DDoS and we want to have a stateful packet inspection.
What actual *problem* are you trying to solve by installing an IPS? Note that simple traffic graphs are usually enough to spot a DDoS - and if the attacker is clever enough, the packets will *look* sane enough to pass the IPS's muster and not be flagged. Remember that in most cases, a packet flagged by an IPS falls into one of several categories: 1) False positive. You just nuked a legitimate connection. Whoops. 2) A packet that wouldn't have done anything anyhow because you've already patched the vulnerability. Who cares? 3) The very rare packet that exploits a vulnerability you haven't been able to harden the target against yet. At this point, the IPS is being used as a crutch to cover up the fact you haven't hardened the target box (and yes, I'm fully aware of "but its runnning MobyFooBar that isn't certified on any release of the OS later than 1997" issues... doesn't change the fact that you haven't hardened the box, does it? ;) 4) A very important class of packets that the IPS does *NOT* alert on is the one it doesn't match to a vulnerability template, either because it's a 0-day you don't have a template for, or because the source of the packet is inside your border (got any wireless? Anyplace a user connects a laptop? Any machines that might have gotten whacked with spyware or other malware, opening up an *outbound* connection that your IPS will likely pass as OK?) And don't forget that the IPS is Yet Another Log To Read. Unless you're also hiring more manpower to feed the beast and clean up after it, it's worse than useless, as it's taking away from all the OTHER things you're already doing. And of course, getting one to do anything reasonable about "malicious traffic FOO carried over SSL/443" is a major technical challenge - which is why you're likely to see malicious traffic buried under the SSL.. ;)
participants (5)
-
Edward W. Ray
-
Gadi Evron
-
Hegger, Stefan
-
Robert E.Seastrom
-
Valdis.Kletnieks@vt.edu