Educause Security Discussion mailing list archives
Re: Schools using SourceFire for IPS
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Thu, 22 Jul 2010 08:56:20 -0400
I have similar thoughts on the matter, although we do have good firewalling set up here. It's nice to see inbound attacks that might traverse a firewall (vulnerability exploits, brute force, etc) be blocked, as well as blocking any outbound CnC communication or attempts to infect others that might come from an internal system that gets infected. We still handle those internal systems as we might if they had been identified using an IDS (isolate, contact owner, etc), but the IPS helps keep us from causing others grief in that situation. We use our current IPS for some things that could be accomplished with an IDS, like trying to identify malware download sites through behavior patterns. Combining IDS or log correlation with an automatic firewall or router rule could also accomplish the brute force attack protection. The usefulness of one versus the other partially depends upon the other resources at your disposal (good firewall, NAC, log correlation, etc), your network architecture, and organizational issues. There are arguments to be made for combinations of IPS and IDS in different network locations (border, intranet, VPN, etc). I know that many shy away from IPS because they feel it will break production services or be the target of blamestorming. Emory has been using it for about five years and while I'm told there was some inaccurate blaming early on, it's been pretty smooth sailing during my year here. Brad Judy Emory University -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Everett, Alex D Sent: Wednesday, July 21, 2010 1:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Schools using SourceFire for IPS Seth: The network-based (we have some host-based also) intrusion prevention units at UNC have been quite beneficial in a number of areas. 1. Attack migitation - millions of SSH brute force blocked per year, not to mention SQL injection, and php file includes. Must be inline for some of this to be useful* 2. HEOA - technical measures 3. Blocking bad IPs, no border firewall, so we use IPS instead 4. Investigating - like IDS, why does resnet have a lot of fake antivirus alerts???lets do something about it. 5. Zero-day/unpatched - its difficult for an enterprise to have all patches applied. New computers are brought up hourly. 6. Incident cost/helpdesk costs - one prevented incident could be worth tens of thousands due to regulatory compliance 7. Provides protection for devices that would otherwise have little 8. Monitoring - like network monitoring, we graph tcp/udp etc. per minute per interface 9. Blacklists - lets not have any IP that zeustracker or malwaredomains says is distributing malware connect to UNC Intrusion prevention can be one of other controls that help reduce risk for an organization. -Alex Everett, CISSP, CCNA IT Security Engineer University of North Carolina On Jul 21, 2010, at 12:33 PM, Seth Hall wrote:
On Jul 20, 2010, at 4:25 PM, Brad Judy wrote:We're currently evaluating options for an IPS replacement project and
we're interested in hearing from any EDU's who have deployed SourceFire equipment in an in-line IPS mode.
Is there anyone willing to speak publicly about the real world benefits or
perceived benefits they get from doing active IPS as opposed to just passively monitoring traffic in IDS mode?
Sorry for hijacking your topic Brad, but I'd like to find out more
generically about the reason why people choose IPS over (or in addition to) IDS. :)
.Seth
Current thread:
- Schools using SourceFire for IPS Brad Judy (Jul 20)
- Re: Schools using SourceFire for IPS Seth Hall (Jul 21)
- Re: Schools using SourceFire for IPS Bill Kyle (Jul 21)
- Re: Schools using SourceFire for IPS Everett, Alex D (Jul 21)
- Re: Schools using SourceFire for IPS Brad Judy (Jul 22)
- Re: Schools using SourceFire for IPS Patrick Goggins (Jul 21)
- Re: Schools using SourceFire for IPS Seth Hall (Jul 21)