Focus on IDS
IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 12:25PM
Hurgel Bumpf (l0rd_lunatic yahoo com) (7 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:42PM
Trygve Aasheim (trygve pogostick net)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:07PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:43AM
Hurgel Bumpf (l0rd_lunatic yahoo com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 08:01PM
C-Info (c-info blaisnet com)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 05:05PM
David Henning (David Henning hughes com) (2 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:28AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:10PM
Joel Snyder (Joel Snyder Opus1 COM) (2 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:50AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 08:20PM
Ronny Vaningh (ronny netrusion com) (2 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 05:45AM
foringer (at) gmail (dot) com [email concealed] (foringer gmail com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 08:43PM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 04:10PM
Paul Schmehl (pschmehl_lists tx rr com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 06:19PM
Joel Esler (eslerj gmail com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:40PM
Laurens Vets (laurens daemon be)
> Since everything has been thrown in except the Kitchen Sink, I'd
> probably suggest:
>
> http://www.sourcefire.com

:) Not everything, IBM ISS Proventia (and probably some other vendors
to) wasn't included...

-Laurens

> On Wed, Jul 29, 2009 at 12:10 PM, Paul Schmehl <pschmehl_lists (at) tx.rr (dot) com [email concealed]> wrote:
>> --On Wednesday, July 29, 2009 12:25:16 +0000 Hurgel Bumpf <l0rd_lunatic (at) yahoo (dot) com [email concealed]> wrote:
>>> Hi List,
>>>
>>> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
>>>
>>> I had some bad experience with Tippingpoint UnityOne 2400 field test. The
>>> device dropped to much sessions until all connectivity was lost. After that
>>> no investigation was not possible as TP logs all attack information with IP
>>> address 0.0.0.0
>>>
>> If this is true, the box was incorrectly sized for your traffic. We've had TP inline for years and have never lost packets or connectivity. It *is* possible to overload the device if you try to log absolutely everything and enable every filter on the box.
>>
>>> The vendor excused this with the layered technology and passing the IP
>>> address from the hardware to the logger would lead to delayed packages)
>>>
>> What vendor? Tippingpoint? Or a var? Whoever it was, it sounds like they don't know what they're doing.
>>
>> Not sure what you mean by this statement, but any device can be DoS'd by excessive logging or by enabling every single rule the box is capable of parsing.
>>
>>> This is unacceptable.
>>>
>>> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network
>>> Security 4050 appliance.
>>>
>>> Who has a good/bad experience with that devices? Is it true that all devices
>>> don't log ip adresses?
>>>
>> I can't imagine an IPS that wouldn't log IP addresses. That's the entire point of the device, isn't it? TP certainly does.
>>
>> It seems there's more to this story than you are giving us.
>>
>>> My dream appliance would be able to run like in a 7 day learning mode which
>>> counts max new sessions per second, max sessions per client aso. After this 7
>>> days it creates a filter with +x% of the learned values and sets these limits
>>> active.
>>>
>>> A big problem is that i have to install it into the productive system to get
>>> the real values. I dont have any fixed values regarding the new sessions per
>>> second and i cant just guess and set values and render the system offline.
>>>
>>> All information is highly appreciated!
>>>
>> My first suggestion would be, don't put a demo/eval IPS inline. Put it in listening mode, watch the traffic and figure out what's going on with your network without taking it down. Had you done this with the 2400, you would have realized it was undersized without creating a disaster scenario.
>>
>> I don't really care what you purchase, but please do Cisco and McAfee a favor. Don't put their devices inline while your doing your evaluation. Use them like an IDS, enable whatever you want and let the box tell you what it *would* have done had you placed it inline.
>>
>> Once you've found whatever it is you're looking for, you should be able to put it inline with a high degree of confidence that it will perform as expected.
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> Check the headers before clicking on Reply.
>>
>>
>> -----------------------------------------------------------------
>> Securing Your Online Data Transfer with SSL.
>> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
>> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>>
>>
>
> -- Joel Esler | http://joelesler.net
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:55PM
Laurens Vets (laurens daemon be) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:26AM
Hurgel Bumpf (l0rd_lunatic yahoo com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 07:52PM
Laurens Vets (laurens daemon be)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:39PM
BARDINI, MICHAEL (michael bardini hp com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 07:55AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:32PM
Diego Garay (dgaray dacas com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:21AM
Hurgel Bumpf (l0rd_lunatic yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus