Re: IPS - Cisco vs. McAfee vs. Tippingpoint

[Laurens Vets <laurens () daemon be>]

> Since everything has been thrown in except the Kitchen Sink, I'd
> probably suggest:
>
> http://www.sourcefire.com

:) Not everything, IBM ISS Proventia (and probably some other vendors 
to) wasn't included...

-Laurens

> On Wed, Jul 29, 2009 at 12:10 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:
> > --On Wednesday, July 29, 2009 12:25:16 +0000 Hurgel Bumpf <l0rd_lunatic () yahoo com> wrote:
> > > Hi List,
> > >
> > > i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
> > >
> > > I had some bad experience with Tippingpoint UnityOne 2400 field test. The
> > > device dropped to much sessions until all connectivity was lost.  After that
> > > no investigation was not possible as TP logs all attack information with IP
> > > address 0.0.0.0
> > If this is true, the box was incorrectly sized for your traffic.  We've had TP inline for years and have never lost 
> > packets or connectivity.  It *is* possible to overload the device if you try to log absolutely everything and enable every 
> > filter on the box.
> >
> > > The vendor excused this with the layered technology and passing the IP
> > > address from the hardware to the logger would lead to delayed packages)
> > What vendor?  Tippingpoint?  Or a var?  Whoever it was, it sounds like they don't know what they're doing.
> >
> > Not sure what you mean by this statement, but any device can be DoS'd by excessive logging or by enabling every single 
> > rule the box is capable of parsing.
> >
> > > This is unacceptable.
> > >
> > > i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network
> > > Security 4050 appliance.
> > >
> > > Who has a good/bad experience with that devices? Is it true that all devices
> > > don't log ip adresses?
> > I can't imagine an IPS that wouldn't log IP addresses.  That's the entire point of the device, isn't it?  TP certainly 
> > does.
> >
> > It seems there's more to this story than you are giving us.
> >
> > > My dream appliance would be able to run like in a 7 day learning mode which
> > > counts max new sessions per second, max sessions per client aso. After this 7
> > > days it creates a filter with +x% of the learned values and sets these limits
> > > active.
> > >
> > > A big problem is that i have to install it into the productive system to get
> > > the real values. I dont have any fixed values regarding the new sessions per
> > > second and i cant just guess and set values and render the system offline.
> > >
> > > All information is highly appreciated!
> > My first suggestion would be, don't put a demo/eval IPS inline.  Put it in listening mode, watch the traffic and figure out 
> > what's going on with your network without taking it down.  Had you done this with the 2400, you would have realized it was 
> > undersized without creating a disaster scenario.
> >
> > I don't really care what you purchase, but please do Cisco and McAfee a favor. Don't put their devices inline while 
> > your doing your evaluation.  Use them like an IDS, enable whatever you want and let the box tell you what it *would* have done 
> > had you placed it inline.
> >
> > Once you've found whatever it is you're looking for, you should be able to put it inline with a high degree of 
> > confidence that it will perform as expected.
> >
> > --
> > Paul Schmehl, Senior Infosec Analyst
> > As if it wasn't already obvious, my opinions
> > are my own and not those of my employer.
> > *******************************************
> > Check the headers before clicking on Reply.
> >
> >
> > -----------------------------------------------------------------
> > Securing Your Online Data Transfer with SSL.
> > A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
> > on your web server, you can securely collect sensitive information online, and increase business by giving your 
> > customers confidence that their transactions are safe.
> > http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
> -- Joel Esler | http://joelesler.net
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
> on your web server, you can securely collect sensitive information online, and increase business by giving your 
> customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194