Re: How to choose an IDS/FW MSS provider

[buineach <securesolutions () gmail com>]

Stephane
What is an appliance these days !!
Answer: everything
What is a checkpoint fw 
Answer a dell pc running linux

What are most IPS, If you look past the appliance label you will find
a Linux kernel/OS.
So what does this run on, a central cpu I think you will find.

How does it do its string searching, ?
Most use an agere systems string search engine, hanging off a PCI bus.

How do you ensure all traffic is coalesced to ensure it cannot evade
the string search engines signature checks.
You will find that the cpu has to deal with fragmentation and tcp reassembly.
Any true IPS must be stateful and therefore cannot just simply forward
fragments.

So when i sent in tcp fragmented garbage to these devices and try to
send in legitimate traffic to the same destination these units
generally come to a standstill.
This is why I say it is a PC architecture because it is .
Look at the vendors who failed the NSS test and you will see a common
theme here.
And look at the tools used to test it.

A managed service from anyone when used as an IDS is great because you
dont have to look at the false positives tthat they have disabled
because they are inaccurate.
What about the hundreds of people who deployed IDS without a managed
service and found it impossible to tune.

I think you will admit that the technology used  by IDS vendors is
almost the same as the appliance IPS  they now promote.

As a test send a 1Mb/sec synflood through any one of these devides,
You will see it trigger a synflood burt look on the dest server syn
received from the spoofed sources.

These devices are at best good for managed IDS but for 24/7/365 uptime
of your network :-)

My problem really is that they are promoting this technology for
inline protection when they can so easily become the main bottlenech
in any network.

Mick



On Wed, 09 Mar 2005 11:33:55 +0100, Stephane <stephane.d () ecologie net> wrote:
> buineach wrote:
>
> > Stephane
> > My opinions here are based on testing I did against all these vendors
> > in the IPS space.
> > Netscreen IDP, Checkpoint (whatever) & ISS Proventia are PC based
> > solution  like all PC based solutions it has a bad foundation to build [...]
> Sorry, what do you mean by PC based solution? ISS Proventia A and G are
> appliance running a cut-down dedicated Linux kernel. By PC based you
> mean Site Protector working on Windows?
>
> 5 years ago, we were sure the firewalls have to have the solution for
> all the network stuffs we do not want out of an unsecure network. Force
> to see it is completely wrong by the time we are having. By the level of
> experience, I am almost sure ISS and its Managed Security Services are
> the best to provide the 24x7 SLA we need. Furthermore, I do not trust
> Cisco, Network Associates or the Yellow_Stuff since IDS and even IPS is
> not their core business at all, they are just getting profits out of
> their sales channels ;-)  10 years ago, ISS was already on the game,
> this does the difference.
>
> Stephane

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------