Re: Schools using SourceFire for IPS

[Brad Judy <win-hied () BRADJUDY COM>]

I have similar thoughts on the matter, although we do have good firewalling
set up here.  It's nice to see inbound attacks that might traverse a
firewall (vulnerability exploits, brute force, etc) be blocked, as well as
blocking any outbound CnC communication or attempts to infect others that
might come from an internal system that gets infected.  We still handle
those internal systems as we might if they had been identified using an IDS
(isolate, contact owner, etc), but the IPS helps keep us from causing others
grief in that situation.  

We use our current IPS for some things that could be accomplished with an
IDS, like trying to identify malware download sites through behavior
patterns.  Combining IDS or log correlation with an automatic firewall or
router rule could also accomplish the brute force attack protection.

The usefulness of one versus the other partially depends upon the other
resources at your disposal (good firewall, NAC, log correlation, etc), your
network architecture, and organizational issues.  There are arguments to be
made for combinations of IPS and IDS in different network locations (border,
intranet, VPN, etc).  

I know that many shy away from IPS because they feel it will break
production services or be the target of blamestorming.  Emory has been using
it for about five years and while I'm told there was some inaccurate blaming
early on, it's been pretty smooth sailing during my year here.  

Brad Judy

Emory University


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Everett, Alex D
Sent: Wednesday, July 21, 2010 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Schools using SourceFire for IPS

Seth:

The network-based (we have some host-based also) intrusion prevention units
at UNC have been quite beneficial in a number of areas.

1. Attack migitation - millions of SSH brute force blocked per year, not to
mention SQL injection, and php file includes. Must be inline for some of
this to be useful*
2. HEOA - technical measures
3. Blocking bad IPs, no border firewall, so we use IPS instead
4. Investigating - like IDS, why does resnet have a lot of fake antivirus
alerts???lets do something about it.
5. Zero-day/unpatched - its difficult for an enterprise to have all patches
applied. New computers are brought up hourly.
6. Incident cost/helpdesk costs - one prevented incident could be worth tens
of thousands due to regulatory compliance
7. Provides protection for devices that would otherwise have little
8. Monitoring - like network monitoring, we graph tcp/udp etc. per minute
per interface
9. Blacklists - lets not have any IP that zeustracker or malwaredomains says
is distributing malware connect to UNC

Intrusion prevention can be one of other controls that help reduce risk for
an organization.

-Alex Everett, CISSP, CCNA
IT Security Engineer
University of North Carolina

On Jul 21, 2010, at 12:33 PM, Seth Hall wrote:

> On Jul 20, 2010, at 4:25 PM, Brad Judy wrote:
>
> > We're currently evaluating options for an IPS replacement project and
we're interested in hearing from any EDU's who have deployed SourceFire
equipment in an in-line IPS mode. 
> Is there anyone willing to speak publicly about the real world benefits or
perceived benefits they get from doing active IPS as opposed to just
passively monitoring traffic in IDS mode?
> Sorry for hijacking your topic Brad, but I'd like to find out more
generically about the reason why people choose IPS over (or in addition to)
IDS. :)
>  .Seth