Re: Schools using SourceFire for IPS

["Everett, Alex D" <alex.everett () UNC EDU>]

Seth:

The network-based (we have some host-based also) intrusion prevention units at UNC have been quite beneficial in a 
number of areas.

1. Attack migitation - millions of SSH brute force blocked per year, not to mention SQL injection, and php file 
includes. Must be inline for some of this to be useful*
2. HEOA - technical measures
3. Blocking bad IPs, no border firewall, so we use IPS instead
4. Investigating - like IDS, why does resnet have a lot of fake antivirus alerts???lets do something about it.
5. Zero-day/unpatched - its difficult for an enterprise to have all patches applied. New computers are brought up 
hourly.
6. Incident cost/helpdesk costs - one prevented incident could be worth tens of thousands due to regulatory compliance
7. Provides protection for devices that would otherwise have little
8. Monitoring - like network monitoring, we graph tcp/udp etc. per minute per interface
9. Blacklists - lets not have any IP that zeustracker or malwaredomains says is distributing malware connect to UNC

Intrusion prevention can be one of other controls that help reduce risk for an organization.

-Alex Everett, CISSP, CCNA
IT Security Engineer
University of North Carolina

On Jul 21, 2010, at 12:33 PM, Seth Hall wrote:

> On Jul 20, 2010, at 4:25 PM, Brad Judy wrote:
>
> > We’re currently evaluating options for an IPS replacement project and we’re interested in hearing from any EDU’s who 
> > have deployed SourceFire equipment in an in-line IPS mode. 
>
> Is there anyone willing to speak publicly about the real world benefits or perceived benefits they get from doing 
> active IPS as opposed to just passively monitoring traffic in IDS mode?
>
> Sorry for hijacking your topic Brad, but I'd like to find out more generically about the reason why people choose IPS 
> over (or in addition to) IDS. :)
>
>  .Seth