IDS mailing list archives

Re: location of an IPS

From: FinAckSyn <finacksyn () yahoo co uk>
Date: Fri, 21 Oct 2005 09:22:51 +0100 (BST)

Worst case scenario, you have 5,000 SYN Packets
(equates to approx 3Mbs), all trying to establish a
conection.
Each of these will create a flow/connection table
entry on the Unity 50, so 5,000 packets equates to
5,000 (half) connections per second.
So I would always design a perimeter solution with
this in mind.  
Remember, I'm talking worst case scenario, and not
what would be in a typical stream - 5,000 connections
can easily run into a gig.
But it's not normal traffic we want to deal with using
an IPS - it's the abnormal stuff - bad content and
unacceptable rates.
Start with the worst possible thing that could happen,
and you've got yourself a decent security solution.
Under engineer, and you've only got yourself to blame
when it all goes tits up.  :)

Matt


--- Kurt Seifried <bt () seifried org> wrote:

Uhh your math is wrong. You're assuming each packet
is a new connection/etc. 
I can saturate my backend 100 megabit network with 1
connection (rsync 
backups). 5,000 connections per second is a
reasonable amount of traffic 
(5,000 simaltaneous emails, www sessions, DNS
queries, etc, it's certainly 
possible, and chances are it will consume a
significant amount of 
bandwidth).

-Kurt Seifried

An IPS should be placed in front of the firewall,

to

provide complete network protection.
However, the Unity 50 is quite low spec - 5,000
connections per second, 5,000 concurrent

connections.

Bearing in mind most Check Point firewalls have a
default connection table size of 40,000 (?)
connections, then putting the Unity 50 in front of
your firewall would be a bottleneck.
Assuming small packet size (512bits per packet),

then

5,000 of these per second equates to just under

3Mbs.

If your Internet feed is less than this, then no
problem.  If it's higher, then the Unity 50 would

not

be able to handle a 3Mbs pipe full of small

packets.

You should really design your perimeter with this
worse case scenario in mind, especially if you

have

negotiated burst rates with your ISP and your ISP

feed

can suddenly shoot up in usage.
Port scans should be blocked by the firewall - all
irrelevant ports are discarded at this point.  I'm

not

sure how the Unity 50 handles port scans, I

haven't

played with one yet...  ;)

Regards,

Matt




--- Doug Fox <dfox168 () hotmail com> wrote:

I'm sorry for this dumb question, which may have
been answered many times.

Where should one place an TippingPoint Unity 50

IPS

device?  Behind or in
front of a firewall?

I have a/the TippingPoint behind a Check Point
firewall. Even though we
externally and internally port-scanned the

firewall

and the IPS many times,
the activity log did not contain any record of

the

"attacks".

What am I missing here?  Any pointers are
appreciated.

Thanks,

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.

------------------------------------------------------------------------

___________________________________________________________

To help you stay safe and secure online, we've

developed the all new

Yahoo! Security Centre.

http://uk.security.yahoo.com

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

------------------------------------------------------------------------




                
___________________________________________________________ 
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. 
http://uk.security.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

location of an IPS Doug Fox (Oct 19)
- Re: location of an IPS Kurt Seifried (Oct 20)
- Re: location of an IPS FinAckSyn (Oct 20)
  - Re: location of an IPS Kurt Seifried (Oct 21)
    - Re: location of an IPS FinAckSyn (Oct 21)
- Re: location of an IPS Paul Schmehl (Oct 20)
- Re: location of an IPS ilaiy (Oct 21)
- Re: location of an IPS Seek Knowledge (Oct 21)
- <Possible follow-ups>
- RE: location of an IPS Gary Halleen (ghalleen) (Oct 20)
- RE: location of an IPS Derick Anderson (Oct 20)
- RE: location of an IPS Swift, David (Oct 20)
- RE: location of an IPS kgeorgiades (Oct 20)
- RE: location of an IPS Bourque Daniel (Oct 21)
- Re: Re: location of an IPS asalo (Oct 21)