RE: Proventia G400

["Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>]

I work for ISS, so I would like to take the opportunity to add a few
facts to FinAckSyn's post.

FinAckSyn writes:
> Heavily signature reliant, PC-based, doesn't run standalone (needs
external
> management), plus the requirement of an external unit to enable
resiliency
> in case of Proventia hw/sw failure made the overall solution quite
bulky.

I am not sure what it means to be signature reliant. I presume it is a
reference to a style of processing similar to that used by SNORT as it
seems to get painted with that brush most often. In that case, the G
series is far from signature reliant. The product uses a rich mix of
anomaly, rate-based, DDoS, statistical, and in some cases even some
pattern-based algorithms all built on top of a rich, highly stafeful,
protocol analysis engine that parses nearly 140 protocols and file
formats.

Yes, the G400 is based on a mix of commercially available hardware and
custom built parts. It is a commercial grade server in construction. It
uses a rack-mount chassis. It has redundant power supplies. It uses RAID
for long term storage. This box is purpose-built for mission critical
applications. The G400 is not your typical Personal Computer.

The G-series can run standalone. Each G has a web-based local management
interface that allows you to manage the device with or without Site
Protector. Even so, Site Protector will still be there if and when your
needs expand beyond a small number of appliances.

In addition to the redundancy built into the hardware as described
above, the G400 has built-in bypass on each of its copper IPS ports.
These bypass units automatically engage in the event of power failure or
software timeout. No external hardware is needed unless you require
fiber ports. Fiber bypass was too big to build into the device, so you
will need an external bypass unit for fiber ports.

FinAckSyn writes:
> Throughput of 400Mpbs seemed reasonable, but if you're going to include
Gb ports
> on a device, in our opinion, that device should be able to handle a
full Gb.

The G400 exists because some customers require more bandwidth than the
G200 provides and do not use enough bandwidth to justify paying for one
of the full gig appliances. If you need a device that supports a full
gigabit you should consider one of the faster G models instead.

Please refer to the product datasheets for more information:
http://documents.iss.net/literature/proventia/ProventiaGSeries_Datasheet
.pdf

FinAckSyn writes:
> We did hear on the grapevine that ISS (and Check Point, for that
matter), both
> submitted their products for Edition 2 and 3 testing, but nothing came
out of
> the other end.  We can only assume that they declined to have their
results
> published.

This is just fear mongering and has no real bearing on the capabilities
of the G400.

Paul


-----Original Message-----
From: FinAckSyn [mailto:finacksyn () yahoo co uk] 
Sent: Thursday, October 27, 2005 4:09 AM
To: Valter Santos; focus-ids () securityfocus com
Subject: Re: Proventia G400

Hi Valter,

We are currently evaluating IPS vendors in order to make an informed
choice about which is going to be best for our customers (we are a
security consultancy/reseller).

Unfortunately, ISS Proventia was one of the first to drop off the list.
It's one of those that fell into our category of inline-IDS.  Heavily
signature reliant, PC-based, doesn't run standalone (needs external
management), plus the requirement of an external unit to enable
resiliency in case of Proventia hw/sw failure made the overall solution
quite bulky.  Even more so for a single-box deployment.

Throughput of 400Mpbs seemed reasonable, but if you're going to include
Gb ports on a device, in our opinion, that device should be able to
handle a full Gb.  It didn't handle 400Mbps of small packets very well,
either, so you would need a separate DDOS device (ISS don't supply
these) if true enterprise perimeter or hosting protection is required.

SiteProtector software is excellent - one of the best.
 But you need to see through this and work out whether or not the device
offers the protection you need, rather than choose a product based on
appearance.  The reports are also pretty nifty too.
If we had to choose a product based on policy management and reporting,
ISS would come pretty close to the top of the list.

Digging deeper, we also looked for independent test results.  We
referred to www.nss.co.uk, whom offer the most thorough tests on the
market.  No sign of ISS, except in the old IPS Edition 1 test
(non-current).  

We did hear on the grapevine that ISS (and Check Point, for that
matter), both submitted their products for Edition 2 and 3 testing, but
nothing came out of the other end.  We can only assume that they
declined to have their results published.

Our thoughts?  It's not really a true IPS.  Next.

Regards,

Matt


--- Valter Santos <vsantola () sectoid com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there,
>
> anyone out there is using ISS Proventia G400 series, and is willing to

> share some thoughts ?
>
> thanx
> /valter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFDXLlgR7pJvOKksgYRApuSAJ0XEwPrGGTmj73XPsUzA8/Yjv3PkACg0SJG
> gpFJyahq23YI88HmK/29xFQ=
> =tb4B
> -----END PGP SIGNATURE-----
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>



                
___________________________________________________________
To help you stay safe and secure online, we've developed the all new
Yahoo! Security Centre. http://uk.security.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------