Re:

["Scholz, Greg" <gscholz () KEENE EDU>]

This solution is vendor dependant but we recently decided to migrate our
entire network from our existing manufacture to Foundry Networks.

Foundry has s-flow (superior to Cisco's NetFlow) and their management
platform IronView (Foundry equivalent to Cisco Works) now has snort
integration.

So the result is that every port on our network will be s-flow enabled
at all times (yes Foundry can do this compared to NetFlow being a
resource hog so used sparingly) and it will send S-Flow data to IronView
which will then be analyzed for anomalies by snort.  We have a long road
to get there since we can not upgrade all at once but it looks very
promising.

I also realized you said "IPS" not "IDS" but if every port on the
network can be an IDS sensor and the management platform responsible for
configuring those ports is the IDS it is only a matter of scripting some
"responses" to have it be automatically react to anomalies at the
switchport level.

I hope this at least helps stir some ideas for you solution.
_________________________
Thank you,
Gregory R. Scholz
Lead Network Engineer
Information Technology Group
Keene State College
(603)358-2070
 
--Lead, follow, or get out of the way. 
(author unknown)
 
-----Original Message-----
From: John Kaftan [mailto:jkaftan () HOTMAIL COM] 
Sent: Thursday, July 20, 2006 9:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY]

We are looking into Intrusion Prevention Systems.  We have looked at 
Tipping-Point are about to look at Cisco MARS.  Does anyone have any 
experiences that they care to share?

John Kaftan

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from
McAfee(r) 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963