AW: IPS - Cisco vs. McAfee vs. Tippingpoint

["Daniel, Akos" <a.daniel () iq-optimize de>]

Hi,

That makes our life hard, for one question we have got ~12 Solution from different Manufacturers. As I see, it is not 
easy to choose 'the best solution', there is too much good idea from different manufacturers on the market and the key 
benefits of a product differ at each unique Customer/User.
I tried to collect all the products mentioned in this topic:
Sorry if not all correct and hopefully it will not be identified as spam :-)

Top Layer IPS
http://www.toplayer.com/content/products/intrusion_detection/attack_mitigator.jsp

Arbor Networks Peakflow CP and TM systems
http://www.arbornetworks.com/en/arbor-peakflow-ip-flow-based-technology.html
http://www.arbornetworks.com/peakflowsp

Cisco IPS 4200 Series Sensor
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html
Cisco Anomaly Detection and Mitigation Appliances
http://www.cisco.com/en/US/products/ps5879/Products_Sub_Category_Home.html

McAfee Network Security
http://www.mcafee.com/us/enterprise/products/network_security/network_security_platform.html

Fortinet
http://www.fortinet.com/products/fortiweb/
http://www.fortinet.com/products/fortigate/

Sourcefire
http://www.sourcefire.com
Snort
http://www.snort.org/

WebDefend
http://www.breach.com/products/webdefend.html

F5 BIG-IP
http://www.f5.com/products/big-ip/
BIG-IP Application Security Manager Module
http://www.f5.com/products/big-ip/product-modules/application-security-manager.html

Mazu (Riverbed acquisited Mazu)
http://www.riverbed.com/products/cascade/

Riorey
http://www.riorey.com/

IBM ISS Proventia IPS
http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1030570

Radware's DefensePro
http://www.radware.com/Products/ApplicationNetworkSecurity/DefensePro.aspx


Cheers,
Akos

-----Ursprüngliche Nachricht-----
Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im Auftrag von C-Info
Gesendet: Donnerstag, 30. Juli 2009 22:01
An: 'Hurgel Bumpf'; focus-ids () securityfocus com
Betreff: RE: IPS - Cisco vs. McAfee vs. Tippingpoint

A few years ago I worked on a project with a large ISP regarding DDoS
mitigation.  What we found was that it was nearly impossible to mitigate a
serious DDoS attack from the customer end.  Usually the pipe to the customer
from the ISP was totally full of attack traffic - so trying to stop this at
the customer site was simply not possible.

You really need to work with the ISP and ensure that they have some
mechanism (we used Peakflow SP and another product)to help stop the flow of
traffic upstream of your connection to the internet. 

Although these features are nice on customer premise devices - they only
work on smaller attacks that do not flood the customers internet connection.

Curt

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Hurgel Bumpf
Sent: Thursday, July 30, 2009 3:44 AM
To: focus-ids () securityfocus com; Gary Halleen
Subject: Re: IPS - Cisco vs. McAfee vs. Tippingpoint


Hi Gary,


thank you for your valuable input.

indeed my main focus is on protecting our systems from (D)DOS attacks. I
start to like the peakflow product more and more.

Thank you all for pointing that out!

Andre

--- Gary Halleen <ghalleen () cisco com> schrieb am Mi, 29.7.2009:

> Von: Gary Halleen <ghalleen () cisco com>
> Betreff: Re: IPS - Cisco vs. McAfee vs. Tippingpoint
> An: "Hurgel Bumpf" <l0rd_lunatic () yahoo com>, focus-ids () securityfocus com
> Datum: Mittwoch, 29. Juli 2009, 15:07
> Hurgel,
>
> While I think you'll be happy with the features and
> performance of Cisco's
> IPS (especially if you are using 7.0 software, which comes
> with Reputation
> Filtering and Global Correlation capabilities), you should
> keep in mind that
> an IPS is not always the best solution for DDoS
> protection.
>
> Depending on the type and severity of the DDoS attack, the
> IPS may provide
> what you are looking for, especially if you configure it to
> block or
> rate-limit on an upstream device, like a router, switch, or
> firewall.
>
> You may also want to take a look at Arbor's Peakflow
> products, as well as
> Cisco's Guard/Detector products.  Both of these are
> designed with DDoS
> protection as primary features.  They also are
> typically deployed both at
> the customer's site, as well as upstream, so that DDoS
> traffic is never
> eating up your bandwidth to the Internet once an attack is
> detected.
>
> Gary
>
>
>
> On 7/29/09 5:25 AM, "Hurgel Bumpf" <l0rd_lunatic () yahoo com>
> wrote:
>
> > Hi List,
> >
> > i need to protect a "realtime" website with an inline
> IPS from (D)DOS attacks.
> > I had some bad experience with Tippingpoint UnityOne
> 2400 field test. The
> > device dropped to much sessions until all connectivity
> was lost.
> > After that no investigation was not possible as TP
> logs all attack information
> > with IP address 0.0.0.0
> >
> > The vendor excused this with the layered technology
> and passing the IP address
> > from the hardware to the logger would lead to delayed
> packages)
> > This is unacceptable.
> >
> > i'm now looking forward to test a Cisco IPS 4270-20
> and a McAfee Network
> > Security 4050 appliance.
> >
> > Who has a good/bad experience with that devices? Is it
> true that all devices
> > don't log ip adresses?
> >
> > My dream appliance would be able to run like in a 7
> day learning mode which
> > counts max new sessions per second, max sessions per
> client aso. After this 7
> > days it creates a filter with +x% of the learned
> values and sets these limits
> > active.
> >
> > A big problem is that i have to install it into the
> productive system to get
> > the real values. I dont have any fixed values
> regarding the new sessions per
> > second and i cant just guess and set values and render
> the system offline.
> > All information is highly appreciated!
> >
> > Thank you very much for your time,
> >
> > Andre
> -----------------------------------------------------------------
> > Securing Your Online Data Transfer with SSL.
> > A guide to understanding SSL certificates, how they
> operate and their
> > application. By making use of an SSL certificate on
> your web server, you can
> > securely collect sensitive information online, and
> increase business by giving
> > your customers confidence that their transactions are
> safe.
> >
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f1
94
> >


      

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by
giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f1
94




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194