IDS mailing list archives
Re: location of an IPS
From: FinAckSyn <finacksyn () yahoo co uk>
Date: Fri, 21 Oct 2005 09:22:51 +0100 (BST)
Worst case scenario, you have 5,000 SYN Packets (equates to approx 3Mbs), all trying to establish a conection. Each of these will create a flow/connection table entry on the Unity 50, so 5,000 packets equates to 5,000 (half) connections per second. So I would always design a perimeter solution with this in mind. Remember, I'm talking worst case scenario, and not what would be in a typical stream - 5,000 connections can easily run into a gig. But it's not normal traffic we want to deal with using an IPS - it's the abnormal stuff - bad content and unacceptable rates. Start with the worst possible thing that could happen, and you've got yourself a decent security solution. Under engineer, and you've only got yourself to blame when it all goes tits up. :) Matt --- Kurt Seifried <bt () seifried org> wrote:
Uhh your math is wrong. You're assuming each packet is a new connection/etc. I can saturate my backend 100 megabit network with 1 connection (rsync backups). 5,000 connections per second is a reasonable amount of traffic (5,000 simaltaneous emails, www sessions, DNS queries, etc, it's certainly possible, and chances are it will consume a significant amount of bandwidth). -Kurt SeifriedAn IPS should be placed in front of the firewall,toprovide complete network protection. However, the Unity 50 is quite low spec - 5,000 connections per second, 5,000 concurrentconnections.Bearing in mind most Check Point firewalls have a default connection table size of 40,000 (?) connections, then putting the Unity 50 in front of your firewall would be a bottleneck. Assuming small packet size (512bits per packet),then5,000 of these per second equates to just under3Mbs.If your Internet feed is less than this, then no problem. If it's higher, then the Unity 50 wouldnotbe able to handle a 3Mbs pipe full of smallpackets.You should really design your perimeter with this worse case scenario in mind, especially if youhavenegotiated burst rates with your ISP and your ISPfeedcan suddenly shoot up in usage. Port scans should be blocked by the firewall - all irrelevant ports are discarded at this point. I'mnotsure how the Unity 50 handles port scans, Ihaven'tplayed with one yet... ;) Regards, Matt --- Doug Fox <dfox168 () hotmail com> wrote:I'm sorry for this dumb question, which may have been answered many times. Where should one place an TippingPoint Unity 50IPSdevice? Behind or in front of a firewall? I have a/the TippingPoint behind a Check Point firewall. Even though we externally and internally port-scanned thefirewalland the IPS many times, the activity log did not contain any record ofthe"attacks". What am I missing here? Any pointers are appreciated. Thanks,
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
___________________________________________________________
To help you stay safe and secure online, we'vedeveloped the all newYahoo! Security Centre.http://uk.security.yahoo.com
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- location of an IPS Doug Fox (Oct 19)
- Re: location of an IPS Kurt Seifried (Oct 20)
- Re: location of an IPS FinAckSyn (Oct 20)
- Re: location of an IPS Kurt Seifried (Oct 21)
- Re: location of an IPS FinAckSyn (Oct 21)
- Re: location of an IPS Kurt Seifried (Oct 21)
- Re: location of an IPS Paul Schmehl (Oct 20)
- Re: location of an IPS ilaiy (Oct 21)
- Re: location of an IPS Seek Knowledge (Oct 21)
- <Possible follow-ups>
- RE: location of an IPS Gary Halleen (ghalleen) (Oct 20)
- RE: location of an IPS Derick Anderson (Oct 20)
- RE: location of an IPS Swift, David (Oct 20)
- RE: location of an IPS kgeorgiades (Oct 20)
- RE: location of an IPS Bourque Daniel (Oct 21)
- Re: Re: location of an IPS asalo (Oct 21)