Focus on IDS
IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 12:25PM
Hurgel Bumpf (l0rd_lunatic yahoo com) (7 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:42PM
Trygve Aasheim (trygve pogostick net)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:07PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:43AM
Hurgel Bumpf (l0rd_lunatic yahoo com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 08:01PM
C-Info (c-info blaisnet com)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 05:05PM
David Henning (David Henning hughes com) (2 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:28AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:10PM
Joel Snyder (Joel Snyder Opus1 COM) (2 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:50AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 08:20PM
Ronny Vaningh (ronny netrusion com) (2 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 05:45AM
foringer (at) gmail (dot) com [email concealed] (foringer gmail com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 08:43PM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 04:10PM
Paul Schmehl (pschmehl_lists tx rr com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 06:19PM
Joel Esler (eslerj gmail com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:40PM
Laurens Vets (laurens daemon be)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:55PM
Laurens Vets (laurens daemon be) (1 replies)
Hey Andre,

> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.

That's going to be though with an IPS...

> I had some bad experience with Tippingpoint UnityOne 2400 field test. The device dropped to much sessions until all connectivity was lost.
> After that no investigation was not possible as TP logs all attack information with IP address 0.0.0.0
>
> The vendor excused this with the layered technology and passing the IP address from the hardware to the logger would lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true that all devices don't log ip adresses?

If you want to block a DDOS with an IPS, good luck with that :)
Normally, most devices do log source and destination addresses.
However, depending on the alert generated by the IPS, you still might
see 0.0.0.0 as source for instance. This means that the alert triggered
with a lot of different source addresses.

> My dream appliance would be able to run like in a 7 day learning mode which counts max new sessions per second, max sessions per client aso. After this 7 days it creates a filter with +x% of the learned values and sets these limits active.

I don't think any of the systems mentioned above can actually do this.
I'll talk in general terms as I only have experience with Cisco (and
other IPSses you didn't mention).

IPSes inspect traffic for defined patterns in that traffic. They will
generally see that there's a lot of traffic when there's a (D)DOS (and
can report some of it. E.g it will notice a SYN flood for instance), but
if the traffic is legitimate (e.g. 'normal' HTTP requests to
http://company.com, but coming from a lot of different sources) it won't
"see" anything bad and can't take action on this traffic.
I don't think a Cisco IPS can do statistical analysis of the traffic
(E.g. "alert when this type of traffic has an 80% increase over the last
2 hours").

If an IPS sees too much packets to process (legitimate or not), it will
either drop them or pass them unanalyzed.

> A big problem is that i have to install it into the productive system to get the real values. I dont have any fixed values regarding the new sessions per second and i cant just guess and set values and render the system offline.

Most inline IPSes can be put inline without actually blocking anything,
usually called learning mode or monitoring mode.

Hope this helps a bit.

-Laurens

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:26AM
Hurgel Bumpf (l0rd_lunatic yahoo com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 07:52PM
Laurens Vets (laurens daemon be)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:39PM
BARDINI, MICHAEL (michael bardini hp com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 07:55AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:32PM
Diego Garay (dgaray dacas com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:21AM
Hurgel Bumpf (l0rd_lunatic yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus