Re: IPS recommendations

[Robert Rudloff <Robert.Rudloff () DU EDU>]

We are working with a product/service called MetaFlows – the primary drivers are 10Gbps capability and pricing.  The 
upsides are cost (very low compared to others), the primary detection engine is Snort (well known, documented, and 
straight forward to work with), and a modular design approach so we can scale it up from sub-gig to multi-gig.  The 
main downside is the interface is definitely an "engineers" interface – although you can produce lots of pretty 
reports, it is not designed for managers – we actually like that aspect since it is meant to be a security tool.

It also has some SIEM-like features, plus OSSEC, BotHunter, Ntop, and external vulnerability scanning.  So far so good 
with it – we are still working on the best way to use the features included.  The other upside regarding cost – we've 
been able to replace the old IPS and use the IDS capability to monitor more of the internal network, for about half the 
cost of a straight replacement of the existing IPS.

I'd love to have a Palo Alto, the latest Tipping Point, or some of the other tools out there – but going to 10Gbps the 
costs are just too high.

Robert Rudloff
AVC/CISO, UTS-Service Assurance
University of Denver
Office:  (303) 871-4030
Mobile: (303) 590-8770

From: Bob Williamson <bob_williamson () AW ORG<mailto:bob_williamson () AW ORG>>
Date: Friday, November 9, 2012 11:08 PM
Subject: Re: IPS recommendations

Interesting to note that Palo Alto just recently released PANOS5.  In the help file it mentions a new series of 
firewalls distributed as an OVF for use with vSphere.

Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org<http://www.aw.org/>
D: 253.272.2216 | F: 253.572.3616 | Bob_Williamson () aw org<mailto:Bob_Williamson () aw org>

Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and 
responsible citizens for a global society.

Find Annie Wright Schools on Facebook<http://www.facebook.com/anniewrightschools>
Follow our Head of Schools on Twitter @AWShead<http://www.twitter.com/awshead>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell
Sent: Friday, November 09, 2012 4:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] IPS recommendations

A decade ago (more or less) we had a Cisco PIX firewall.  It had some IDS/IPS at the time, targeted at some of the 
threats of the time.  It did some things very well, but did not scale.

We had our first Cisco ASA firewalls right after their introduction.  They scaled much better than the PIX.  We also 
got the AIP-SSM IPS modules for them.  They were excellent at the time, directed at the threats at the time.  It did 
more things very well, but we're starting to approach it's scale of bandwidth.  The IPS modules were catching less and 
less (and subsequent things behind them picking up more and more), so I put them in bypass mode over the summer as they 
were a bottleneck running inline.

We have been doing Snort in IDS mode (passive) for some time.  It does some things very well.  (Detecting a pattern 
here?)  It might could do some more things well if we could afford the official commercial appliance offerings with the 
full Sourcefire enhancements, but as with most NextGeneration FireWall or Unified Threat Management solutions, it gets 
a little difficult separating the wheat from the chaff in the marketing claims.

We added a TippingPoint appliance a couple of years ago.  It could implement blocking inline what Snort was telling us 
after the fact.  We also have an N-series appliance which supports the reputation database, a feature which scales to 
incredible heights that we could not get out of other approaches.  It does some things very well.

We also have a Procera.  It can do some blocking (it can nail individual URLs), and does some things very well.  But it 
doesn't scale up well on that particular feature.

I'm not sure there is a 100% cure-all box you can simply plug in and everyone lives happily ever after.  We have tried 
to combine best-of-breed and get the cumulative benefits of each, and at the same time we can avoid their individual 
weaknesses and redirect them at something better suited for the job.

And the more eggs you put into one basket, it appears the more expensive it is per megabit of traffic.  If you budget 
scales up to that, it's an option too.

Just another opinion :)

Jeff

On 11/9/2012 6:26 PM, King, Ronald A. wrote:
We too have TippingPoint EOL equipment.  We purchased two Palo Alto firewalls and are very happy with them.  In fact, 
they caught a bug today that triggered further investigation.  Thanks to them, it was easy to ID the host with user ID 
that was attacking our server.  We had not considered them as an alternative to TippingPoint, but, with this 
conversation and recent events, well, let’s just say we are now open to the idea that we may already have our 
replacement.

Note: The PAN firewalls are Next Gen (NG).  I have learned that they aren’t the standard definition of a firewall.  The 
recommended way to create rules is based on the application rather than port.  The bug I mentioned earlier was over 
port 80, generally allowed for your internal hosts to talk out to port 80, but, much like an IPS, it triggered on a 
Trojan filter.  We have a rule set for one of our web servers to only allow applications “web-browsing” and 
“web-crawler” from the Internet.  With the ASAs we are moving from, we allowed anything on port 80.

+2 here.

Ronald King
Security Engineer
Norfolk State University
http://security.nsu.edu<http://security.nsu.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Entwistle, Bruce
Sent: Thursday, November 08, 2012 2:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] IPS recommendations

Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping 
Point unit.  I was looking to see what everyone else is using and how well it is working for them.

Thank you
Bruce Entwistle
University of Redlands