Focus on IDS
Re: Whatever happened to 10gb IPS? Jul 22 2010 04:56AM
vijay upadhyaya (vijay upadhyaya gmail com)
@Dave, I am glad that you are revealing that you work for Sourcefire.
Based on my experience with various IPS products, I strongly feel that
there is no absolute right or wrong choice, it is matter of what you
are trying to protect and what are my existing security
measures/products and my risk appetite and most importantly network
architecture. Now I refuse to believe that all the network assets are
equally important and best way to provide the protection is to place
IPS in the network where it is needed the most. If you end up with
conclusion that all the network must have IPS then still you can get
more boxes and install it per network...Just a thought.

Finally its not IPS but people managing IPS are most critical part .
Its not the product but people that will make the difference to your
security.So instead of product i would invest in providing more
training to my security staff than investing in expensive product.

Just to prove my point try Fragroute and run different attack on Sun,
Linux and Windows boxes behind IPS and you will know what I am talking
about . This tool was written by DugSong based on the paper Insertion,
Evasion, and Denial of Service: Eluding Network Intrusion Detection by
Thomas and Timothy.

And some of the problems identified in this paper are very limitation
of NIDS of not knowing the host OS and hence cannot accurately judge
what will be the final behavior at the host of the given set of
packets in the conditions like overlapping fragments and ttl =1 for
one of the packets, out of order arrival to name a few. Since Linux
and Windows behaves differently the way it handles the overlapping
fragments and hence there is no easy way to handle this in NIDS.

To summarize, you need following,
1. Good assessment of the protection you require and risk appetite.
(Risk Reward ratio)
2. Excellent security staff
3. Ability to discard marketing of NSS, Gartner, and Forresters of
the world. These are just marketing tool for the companies !
4. Finally a product that can fit and provide the benefits you want
or need , not benefits that they list.

Hope this helps,
Regards,

Vijay Upadhyaya
BS-7799 Lead Auditor
CISA
CISSP
CSGA
Nortel ASF Training Certification

> On Thu, Jul 15, 2010 at 12:16 AM, Dave Venman <dvenman (at) sourcefire (dot) com [email concealed]> wrote:
>>
>> <disclaimer>  I work for Sourcefire </disclaimer> but I'll try to keep
>> this vendor-neutral
>>
>> There are lots of boxes now which can, or claim they can, perform
>> 10Gbps or more inspection.
>>
>> Some of that is marketing fluff, some of it is the real McCoy.
>>
>> If you have a need for 10Gbps inspection or higher then you really
>> need to do your homework because the boxes you pay for go for lots of
>> money.  If you spend all that money on a solution which doesn't do IPS
>> properly or only do IPS properly well below the expected / rated /
>> claimed throughput - and I accept there are various approaches which
>> do work, and there are those which don't - then you're stuck with it
>> for the foreseeable future.
>>
>> You need to do your homework seriously - check reviews, NSS reports,
>> anything you can lay your hands on.  Then, get your hands on a unit to
>> evaluate them.  And when you test these devices, make sure you put
>> them in a production environment (passively - I'm not that stupid) to
>> get them to inspect YOUR traffic.  Don't rely on sending a PCAP to
>> someone and getting results, because you don't know how they've tested
>> your traffic, or if indeed they have tested it at all, just run basic
>> traffic distribution analysis on it and chucked the resulting figures
>> into a program to see the theoretical throughput.
>>
>> And don't just test for raw IPS throughput - although it's important -
>> make sure the stuff you throw at it is caught - make sure it's proper
>> attempts to exploit vulnerabilities not just Nessus / NMAP scans, make
>> sure your testing rig replays traffic properly and doesn't provide an
>> approximation of TCP traffic, and lots of other things which need to
>> be done properly to test the solution effectively.
>>
>> Raw throughput is only one element.  If you don't get proper
>> inspection, then the things are essentially expensive doorstops.
>>
>> On 14 July 2010 16:50, pacific.croc <pacific.croc (at) live (dot) in [email concealed]> wrote:
>>
>> >
>> >  Juniper also has the newly launched SRX series of appliances which if I am
>> > not wrong can deliver up to 30 Gbps
>> >
>> >
>> > On 7/14/2010 5:02 AM, Jeffrey Chen wrote:
>> >
>> >> I think they've been here for a while now:
>> >>
>> >> Palo Alto Networks PA-4000 IPS/Firewall - 10GB
>> >> Top Layer IPS 5500-1000 - 4GB individually, up to 32GB in clustering
>> >> mode.
>> >> Juniper IDP-8200 - 10GB
>> >>
>> >> Just off top of my head.  I think there are few others out there as
>> >> well.
>> >>
>>
>>
>>
>> --
>> Dave Venman
>>
>> -----------------------------------------------------------------
>> Securing Your Online Data Transfer with SSL.
>> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
>> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>>
>>
>
>

--
Vijay Upadhyaya
BS-7799 Lead Auditor
CISA
CISSP
CSGA
Nortel ASF Training Certification

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus