Re: IPS - Cisco vs. McAfee vs. Tippingpoint

[Trygve Aasheim <trygve () pogostick net>]

Hurgel Bumpf skrev:
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.

An IPS is not the solution if this is just to protect against DDoS, as 
many are saying already.
It is to close to your infrastructure...

> I had some bad experience with Tippingpoint UnityOne 2400 field test. The device dropped to much sessions until all connectivity was lost. 
> After that no investigation was not possible as TP logs all attack information with IP address 0.0.0.0 

What "DDoS" filter gave you these hits? What was the test?
Doesn't sound like the attack was an application level attack, but more 
like a network attack...which, as I say above, an IPS won't help you 
with, since your connections are clogged anyway.

> The vendor excused this with the layered technology and passing the IP address from the hardware to the logger would 
> lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network Security 4050 appliance. 
>
> Who has a good/bad experience with that devices? Is it true that all devices don't log ip adresses?

In some scenarios, the inline devices are having issues with logging 
IPs. Just like you will have issues going through all IPs in a bot net 
DDoS attack as well. And what do you need the IPs for? Do you have the 
man power to go through several thousand IPs?  ;)

> My dream appliance would be able to run like in a 7 day learning mode which counts max new sessions per second, max 
> sessions per client aso. After this 7 days it creates a filter with +x% of the learned values and sets these limits 
> active.
>
> A big problem is that i have to install it into the productive system to get the real values. I dont have any fixed values regarding the new sessions per second and i cant just guess and set values and render the system offline. 

http://netoptics.com/ or 
http://www.vssmonitoring.com/products/overview.asp might help you with 
this. You can get your solution to look at the real traffic without 
interfering.

> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre

If you are affraid of network based DDoS attacks, talk to your ISP to 
see what services they are offering, or look at a netflow solution and 
see if you can do something with BGP in your infrastructure.

If you are affraid of application level based DDoS, an IPS or 
Application Firewall might help, though I've heard stories of 
configuration nightmares with the latter ones.

But it is very rare that you'll find the solution to DDoS threats with a 
box on the wire by itself...




>       
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
> on your web server, you can securely collect sensitive information online, and increase business by giving your 
> customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194