IDS mailing list archives
RE: Proventia G400
From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Fri, 28 Oct 2005 09:07:28 -0400
I work for ISS, so I would like to take the opportunity to add a few facts to FinAckSyn's post. FinAckSyn writes:
Heavily signature reliant, PC-based, doesn't run standalone (needs
external
management), plus the requirement of an external unit to enable
resiliency
in case of Proventia hw/sw failure made the overall solution quite
bulky. I am not sure what it means to be signature reliant. I presume it is a reference to a style of processing similar to that used by SNORT as it seems to get painted with that brush most often. In that case, the G series is far from signature reliant. The product uses a rich mix of anomaly, rate-based, DDoS, statistical, and in some cases even some pattern-based algorithms all built on top of a rich, highly stafeful, protocol analysis engine that parses nearly 140 protocols and file formats. Yes, the G400 is based on a mix of commercially available hardware and custom built parts. It is a commercial grade server in construction. It uses a rack-mount chassis. It has redundant power supplies. It uses RAID for long term storage. This box is purpose-built for mission critical applications. The G400 is not your typical Personal Computer. The G-series can run standalone. Each G has a web-based local management interface that allows you to manage the device with or without Site Protector. Even so, Site Protector will still be there if and when your needs expand beyond a small number of appliances. In addition to the redundancy built into the hardware as described above, the G400 has built-in bypass on each of its copper IPS ports. These bypass units automatically engage in the event of power failure or software timeout. No external hardware is needed unless you require fiber ports. Fiber bypass was too big to build into the device, so you will need an external bypass unit for fiber ports. FinAckSyn writes:
Throughput of 400Mpbs seemed reasonable, but if you're going to include
Gb ports
on a device, in our opinion, that device should be able to handle a
full Gb. The G400 exists because some customers require more bandwidth than the G200 provides and do not use enough bandwidth to justify paying for one of the full gig appliances. If you need a device that supports a full gigabit you should consider one of the faster G models instead. Please refer to the product datasheets for more information: http://documents.iss.net/literature/proventia/ProventiaGSeries_Datasheet .pdf FinAckSyn writes:
We did hear on the grapevine that ISS (and Check Point, for that
matter), both
submitted their products for Edition 2 and 3 testing, but nothing came
out of
the other end. We can only assume that they declined to have their
results
published.
This is just fear mongering and has no real bearing on the capabilities of the G400. Paul -----Original Message----- From: FinAckSyn [mailto:finacksyn () yahoo co uk] Sent: Thursday, October 27, 2005 4:09 AM To: Valter Santos; focus-ids () securityfocus com Subject: Re: Proventia G400 Hi Valter, We are currently evaluating IPS vendors in order to make an informed choice about which is going to be best for our customers (we are a security consultancy/reseller). Unfortunately, ISS Proventia was one of the first to drop off the list. It's one of those that fell into our category of inline-IDS. Heavily signature reliant, PC-based, doesn't run standalone (needs external management), plus the requirement of an external unit to enable resiliency in case of Proventia hw/sw failure made the overall solution quite bulky. Even more so for a single-box deployment. Throughput of 400Mpbs seemed reasonable, but if you're going to include Gb ports on a device, in our opinion, that device should be able to handle a full Gb. It didn't handle 400Mbps of small packets very well, either, so you would need a separate DDOS device (ISS don't supply these) if true enterprise perimeter or hosting protection is required. SiteProtector software is excellent - one of the best. But you need to see through this and work out whether or not the device offers the protection you need, rather than choose a product based on appearance. The reports are also pretty nifty too. If we had to choose a product based on policy management and reporting, ISS would come pretty close to the top of the list. Digging deeper, we also looked for independent test results. We referred to www.nss.co.uk, whom offer the most thorough tests on the market. No sign of ISS, except in the old IPS Edition 1 test (non-current). We did hear on the grapevine that ISS (and Check Point, for that matter), both submitted their products for Edition 2 and 3 testing, but nothing came out of the other end. We can only assume that they declined to have their results published. Our thoughts? It's not really a true IPS. Next. Regards, Matt --- Valter Santos <vsantola () sectoid com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, anyone out there is using ISS Proventia G400 series, and is willing to
share some thoughts ? thanx /valter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFDXLlgR7pJvOKksgYRApuSAJ0XEwPrGGTmj73XPsUzA8/Yjv3PkACg0SJG
gpFJyahq23YI88HmK/29xFQ= =tb4B -----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Proventia G400 Valter Santos (Oct 26)
- Re: Proventia G400 FinAckSyn (Oct 27)
- Re: Proventia G400 Planz (Oct 28)
- <Possible follow-ups>
- RE: Proventia G400 Palmer, Paul (ISSAtlanta) (Oct 28)
- Re: Proventia G400 FinAckSyn (Oct 27)