RE: NIPS Vendors explicit answer

["Brian Smith" <bsmith () tippingpoint com>]

Disclaimer first: I work for a vendor (TippingPoint).  That being said,
I've spent the last couple of years developing testing methodologies for
IPSs, so I have at least some strong opinions :-).  You should look at
the NSS test results:

    http://www.nss.co.uk/acatalog/Intrusion_Prevention_Systems__IPS_.html

To date, this is the only comprehensive independent IPS test that's been
done that I'm aware of.  The report's $75 to buy and a bargain at that.
The purchased report includes the test results, which you'll want.

You probably won't be able to fully replicate the NSS test suite (it
took a year to develop and two weeks per vendor to run), but a couple
of things to check when evaluating these products, especially those
that didn't go through NSS (Radware is the only one on your short list).

1) Make sure the product continues to block attacks when simple,
off-the-shelf evasion techniques are employed.   Some easy to try
tools that the hackers all use are fragroute and whisker

        http://monkey.org/~dugsong/fragroute/
        http://www.wiretrip.net/rfp/

The techniques these tools employ are documented at

        http://www.insecure.org/stf/secnet_ids/secnet_ids.html
        http://www.wiretrip.net/rfp/txt/whiskerids.html

2) Test the IPS like you would any other network element (switch,
router, etc).  Measure latency and throughput with different packet
sizes and different protocol mixes.  It's generally a good idea to
test the extremes (all 64 byte packets, all UDP traffic, all ICMP
traffic, fragmented traffic, out-of-order TCP traffic, etc) to see
how the IPS fairs.  Not that you're likely too see all 64 byte packets
or all fragmented traffic in a real network, but it'll give you an
idea the performance limits of each IPS.

3) Also make sure that the performance is acceptable by testing the
device inline in *your* network.  Try some simple performance tests
(copying files, compiling, ping to measure latency, etc) with and
without the IPS to see its effect on performance.  If the IPS slows
your network to a crawl, that's usually a non-starter.

4) Ask the vendor to explain how their process for releasing updates to
the product to protect against new attacks, and how many of their
filters protect against recent attacks.  As a rule, blocking attacks
from 5 years ago isn't as important as blocking attacks from the last
couple of months, since you've probably already patched the systems
against the older attacks.  Detecting old attacks is more of an IDS
function that an IPS function.

5) Think about how the product would work in your environment in a
worm storm, or other worst-case scenarios.  If the management network
is virtually down, can you still configure the box to block the attack
that's bringing it down?  How does HA for the device work?  Does it fail
open, closed, or is it configurable?

Hope this helps!

        Brian

-----Original Message-----
From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net]
Sent: Wednesday, April 28, 2004 10:00 AM
To: Rob Shein; Frank Knobbe; Vikram Phatak
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer
Importance: High


Hello Everyone,

I am responsible for testing and offering an IPS solution for big networks with high rated throughputs for my 
company(an ISP) and our customers.
As i read these mails flowing around,i said "yes this is the right place to share my opinions".
I would rather ask a question outside the theory about IDS-IPS comparision.Right now i am more interested in product 
comparision becaues of my urgent duty

I had the chance to test Radware Defense Pro only as ab inline - IPS product.
It seems to be very fast responsive and successfull blocker against DDOS attacks,Synfloods and typical worms and 
detecting Protocol Anomalies.
The other vendors waiting for my tests:) are Netscreen IDP,RealSecure ISS Proventia G200 and Network Associates NAI 
Intruvert 2600 series.
Does any of you know about these products,especially in a competitive way between them?
I would appreciate your answers

Regards

Melih Kirkgöz  
Network Security Services 
Koç.net Haberlesme Teknolojileri ve Iletisim Hizmetleri
Camlica Is Merkezi B3 Blok Uskudar 81190 
Istanbul -TURKEY 
email: melihk () koc net 
URL :http://www.koc.net 


-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Tuesday, April 27, 2004 6:39 PM
To: 'Frank Knobbe'; 'Vikram Phatak'
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer


I can answer this fairly easily.  Bruce Schneier, among other people, has been pointing out that the real measure of 
security is how gracefully it fails.  In many large environments (like where I am right now) there can be confusion as 
to who is responsible for which system; the system in question may go unpatched as a result.  When there's an IPS on 
top of everything, it makes a big difference, because now you have another layer of defense to protect it.  At some 
point, someone is bound to notice that the system isn't patched, but at least it won't be because of some 1337 d00d 
tearing it up. For a public-facing service this is an entire second layer of protection, where before there was only 
one.

I'd also think that any environment that could tackle the implementation of an IPS correctly would already have 
patching fairly well in hand.  And I doubt they'd stop patching at that point, anyways.

Oh, and I second the request for an IPS list.  Good idea, Frank!

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us]
> Sent: Monday, April 26, 2004 8:04 PM
> To: Vikram Phatak
> Cc: focus-ids () securityfocus com
> Subject: Re: NIPS Vendors explicit answer

<snip>

> True. It seems I was focusing on the detection part, not the 
> prevention part. A product that shields existing 
> vulnerabilities from a network does have merit.
>
> I think I just question why we need the product. It appears 
> that it would allows us to be more complacent with our 
> networks. Why patch the system when the IPS shields it? There 
> seem to be two sides to the IPS-shielding-the-network 
> approach. I can see where it is useful (especially when 
> running Microsoft products, the latest SSL issue being the 
> perfect example). But at the same time it is only a band-aid 
> until the hosts are patched. Shouldn't we focus our 
> preventative efforts on the hosts?
>
> (not dispelling IPS, but we should use it as a substitute for 
> securing systems).

<snip snip>


---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------


-----Original Message-----
From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net]
Sent: Wednesday, April 28, 2004 10:00 AM
To: Rob Shein; Frank Knobbe; Vikram Phatak
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer
Importance: High


Hello Everyone,

I am responsible for testing and offering an IPS solution for big networks with high rated throughputs for my 
company(an ISP) and our customers.
As i read these mails flowing around,i said "yes this is the right place to share my opinions".
I would rather ask a question outside the theory about IDS-IPS comparision.Right now i am more interested in product 
comparision becaues of my urgent duty

I had the chance to test Radware Defense Pro only as ab inline - IPS product.
It seems to be very fast responsive and successfull blocker against DDOS attacks,Synfloods and typical worms and 
detecting Protocol Anomalies.
The other vendors waiting for my tests:) are Netscreen IDP,RealSecure ISS Proventia G200 and Network Associates NAI 
Intruvert 2600 series.
Does any of you know about these products,especially in a competitive way between them?
I would appreciate your answers

Regards

Melih Kirkgöz  
Network Security Services 
Koç.net Haberlesme Teknolojileri ve Iletisim Hizmetleri
Camlica Is Merkezi B3 Blok Uskudar 81190 
Istanbul -TURKEY 
email: melihk () koc net 
URL :http://www.koc.net 


-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Tuesday, April 27, 2004 6:39 PM
To: 'Frank Knobbe'; 'Vikram Phatak'
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer


I can answer this fairly easily.  Bruce Schneier, among other people, has been pointing out that the real measure of 
security is how gracefully it fails.  In many large environments (like where I am right now) there can be confusion as 
to who is responsible for which system; the system in question may go unpatched as a result.  When there's an IPS on 
top of everything, it makes a big difference, because now you have another layer of defense to protect it.  At some 
point, someone is bound to notice that the system isn't patched, but at least it won't be because of some 1337 d00d 
tearing it up. For a public-facing service this is an entire second layer of protection, where before there was only 
one.

I'd also think that any environment that could tackle the implementation of an IPS correctly would already have 
patching fairly well in hand.  And I doubt they'd stop patching at that point, anyways.

Oh, and I second the request for an IPS list.  Good idea, Frank!

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us]
> Sent: Monday, April 26, 2004 8:04 PM
> To: Vikram Phatak
> Cc: focus-ids () securityfocus com
> Subject: Re: NIPS Vendors explicit answer

<snip>

> True. It seems I was focusing on the detection part, not the 
> prevention part. A product that shields existing 
> vulnerabilities from a network does have merit.
>
> I think I just question why we need the product. It appears 
> that it would allows us to be more complacent with our 
> networks. Why patch the system when the IPS shields it? There 
> seem to be two sides to the IPS-shielding-the-network 
> approach. I can see where it is useful (especially when 
> running Microsoft products, the latest SSL issue being the 
> perfect example). But at the same time it is only a band-aid 
> until the hosts are patched. Shouldn't we focus our 
> preventative efforts on the hosts?
>
> (not dispelling IPS, but we should use it as a substitute for 
> securing systems).

<snip snip>


---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------


---------------------------------------------------------------------------

---------------------------------------------------------------------------