Focus on IDS
IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 12:25PM
Hurgel Bumpf (l0rd_lunatic yahoo com) (7 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:42PM
Trygve Aasheim (trygve pogostick net)


Hurgel Bumpf skrev:
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.

An IPS is not the solution if this is just to protect against DDoS, as
many are saying already.
It is to close to your infrastructure...

>
> I had some bad experience with Tippingpoint UnityOne 2400 field test. The device dropped to much sessions until all connectivity was lost.
> After that no investigation was not possible as TP logs all attack information with IP address 0.0.0.0

What "DDoS" filter gave you these hits? What was the test?
Doesn't sound like the attack was an application level attack, but more
like a network attack...which, as I say above, an IPS won't help you
with, since your connections are clogged anyway.

>
> The vendor excused this with the layered technology and passing the IP address from the hardware to the logger would lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true that all devices don't log ip adresses?

In some scenarios, the inline devices are having issues with logging
IPs. Just like you will have issues going through all IPs in a bot net
DDoS attack as well. And what do you need the IPs for? Do you have the
man power to go through several thousand IPs? ;)

>
> My dream appliance would be able to run like in a 7 day learning mode which counts max new sessions per second, max sessions per client aso. After this 7 days it creates a filter with +x% of the learned values and sets these limits active.
>
> A big problem is that i have to install it into the productive system to get the real values. I dont have any fixed values regarding the new sessions per second and i cant just guess and set values and render the system offline.

http://netoptics.com/ or
http://www.vssmonitoring.com/products/overview.asp might help you with
this. You can get your solution to look at the real traffic without
interfering.

>
> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre
>

If you are affraid of network based DDoS attacks, talk to your ISP to
see what services they are offering, or look at a netflow solution and
see if you can do something with BGP in your infrastructure.

If you are affraid of application level based DDoS, an IPS or
Application Firewall might help, though I've heard stories of
configuration nightmares with the latter ones.

But it is very rare that you'll find the solution to DDoS threats with a
box on the wire by itself...

>
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>
>

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:07PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:43AM
Hurgel Bumpf (l0rd_lunatic yahoo com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 08:01PM
C-Info (c-info blaisnet com)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 05:05PM
David Henning (David Henning hughes com) (2 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:28AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:10PM
Joel Snyder (Joel Snyder Opus1 COM) (2 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:50AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 08:20PM
Ronny Vaningh (ronny netrusion com) (2 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 05:45AM
foringer (at) gmail (dot) com [email concealed] (foringer gmail com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 08:43PM
Hurgel Bumpf (l0rd_lunatic yahoo com)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 04:10PM
Paul Schmehl (pschmehl_lists tx rr com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 06:19PM
Joel Esler (eslerj gmail com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 07:40PM
Laurens Vets (laurens daemon be)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:55PM
Laurens Vets (laurens daemon be) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:26AM
Hurgel Bumpf (l0rd_lunatic yahoo com) (1 replies)
Re: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 07:52PM
Laurens Vets (laurens daemon be)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:39PM
BARDINI, MICHAEL (michael bardini hp com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 07:55AM
Hurgel Bumpf (l0rd_lunatic yahoo com)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 29 2009 03:32PM
Diego Garay (dgaray dacas com) (1 replies)
RE: IPS - Cisco vs. McAfee vs. Tippingpoint Jul 30 2009 09:21AM
Hurgel Bumpf (l0rd_lunatic yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus