Educause Security Discussion mailing list archives
Re: IPS recommendations
From: Robert Rudloff <Robert.Rudloff () DU EDU>
Date: Mon, 12 Nov 2012 08:41:12 -0700
We are working with a product/service called MetaFlows – the primary drivers are 10Gbps capability and pricing. The upsides are cost (very low compared to others), the primary detection engine is Snort (well known, documented, and straight forward to work with), and a modular design approach so we can scale it up from sub-gig to multi-gig. The main downside is the interface is definitely an "engineers" interface – although you can produce lots of pretty reports, it is not designed for managers – we actually like that aspect since it is meant to be a security tool. It also has some SIEM-like features, plus OSSEC, BotHunter, Ntop, and external vulnerability scanning. So far so good with it – we are still working on the best way to use the features included. The other upside regarding cost – we've been able to replace the old IPS and use the IDS capability to monitor more of the internal network, for about half the cost of a straight replacement of the existing IPS. I'd love to have a Palo Alto, the latest Tipping Point, or some of the other tools out there – but going to 10Gbps the costs are just too high. Robert Rudloff AVC/CISO, UTS-Service Assurance University of Denver Office: (303) 871-4030 Mobile: (303) 590-8770 From: Bob Williamson <bob_williamson () AW ORG<mailto:bob_williamson () AW ORG>> Date: Friday, November 9, 2012 11:08 PM Subject: Re: IPS recommendations Interesting to note that Palo Alto just recently released PANOS5. In the help file it mentions a new series of firewalls distributed as an OVF for use with vSphere. Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org<http://www.aw.org/> D: 253.272.2216 | F: 253.572.3616 | Bob_Williamson () aw org<mailto:Bob_Williamson () aw org> Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society. Find Annie Wright Schools on Facebook<http://www.facebook.com/anniewrightschools> Follow our Head of Schools on Twitter @AWShead<http://www.twitter.com/awshead> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell Sent: Friday, November 09, 2012 4:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] IPS recommendations A decade ago (more or less) we had a Cisco PIX firewall. It had some IDS/IPS at the time, targeted at some of the threats of the time. It did some things very well, but did not scale. We had our first Cisco ASA firewalls right after their introduction. They scaled much better than the PIX. We also got the AIP-SSM IPS modules for them. They were excellent at the time, directed at the threats at the time. It did more things very well, but we're starting to approach it's scale of bandwidth. The IPS modules were catching less and less (and subsequent things behind them picking up more and more), so I put them in bypass mode over the summer as they were a bottleneck running inline. We have been doing Snort in IDS mode (passive) for some time. It does some things very well. (Detecting a pattern here?) It might could do some more things well if we could afford the official commercial appliance offerings with the full Sourcefire enhancements, but as with most NextGeneration FireWall or Unified Threat Management solutions, it gets a little difficult separating the wheat from the chaff in the marketing claims. We added a TippingPoint appliance a couple of years ago. It could implement blocking inline what Snort was telling us after the fact. We also have an N-series appliance which supports the reputation database, a feature which scales to incredible heights that we could not get out of other approaches. It does some things very well. We also have a Procera. It can do some blocking (it can nail individual URLs), and does some things very well. But it doesn't scale up well on that particular feature. I'm not sure there is a 100% cure-all box you can simply plug in and everyone lives happily ever after. We have tried to combine best-of-breed and get the cumulative benefits of each, and at the same time we can avoid their individual weaknesses and redirect them at something better suited for the job. And the more eggs you put into one basket, it appears the more expensive it is per megabit of traffic. If you budget scales up to that, it's an option too. Just another opinion :) Jeff On 11/9/2012 6:26 PM, King, Ronald A. wrote: We too have TippingPoint EOL equipment. We purchased two Palo Alto firewalls and are very happy with them. In fact, they caught a bug today that triggered further investigation. Thanks to them, it was easy to ID the host with user ID that was attacking our server. We had not considered them as an alternative to TippingPoint, but, with this conversation and recent events, well, let’s just say we are now open to the idea that we may already have our replacement. Note: The PAN firewalls are Next Gen (NG). I have learned that they aren’t the standard definition of a firewall. The recommended way to create rules is based on the application rather than port. The bug I mentioned earlier was over port 80, generally allowed for your internal hosts to talk out to port 80, but, much like an IPS, it triggered on a Trojan filter. We have a rule set for one of our web servers to only allow applications “web-browsing” and “web-crawler” from the Internet. With the ASAs we are moving from, we allowed anything on port 80. +2 here. Ronald King Security Engineer Norfolk State University http://security.nsu.edu<http://security.nsu.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Entwistle, Bruce Sent: Thursday, November 08, 2012 2:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] IPS recommendations Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping Point unit. I was looking to see what everyone else is using and how well it is working for them. Thank you Bruce Entwistle University of Redlands
Current thread:
- Re: IPS recommendations, (continued)
- Re: IPS recommendations Dave Koontz (Nov 08)
- Re: IPS recommendations Jeff Giacobbe (Nov 08)
- Re: IPS recommendations Walter Petruska (Nov 08)
- Re: IPS recommendations Bryan Zimmer (Nov 08)
- Re: IPS recommendations Walter Petruska (Nov 09)
- Re: IPS recommendations Bryan Zimmer (Nov 08)
- Re: IPS recommendations King, Ronald A. (Nov 09)
- Re: IPS recommendations Jeff Kell (Nov 09)
- Re: IPS recommendations Bob Williamson (Nov 09)
- Re: IPS recommendations Jeff Kell (Nov 09)
- Re: IPS recommendations Gioia, Matthew P. (Nov 09)
- Re: IPS recommendations Roger A Safian (Nov 09)
- Re: IPS recommendations Robert Rudloff (Nov 12)
- Re: IPS recommendations Dave Koontz (Nov 08)