IDS mailing list archives
Re: IPS - Cisco vs. McAfee vs. Tippingpoint
From: Laurens Vets <laurens () daemon be>
Date: Thu, 30 Jul 2009 21:52:56 +0200
Hello Andre,
So, how did you do your deployment, and which product did you choose and why? :)
I work for an MSSP, we mostly deploy Cisco and Proventia (sometimes others, depending on the customer preference). Management is done via a custom solution :) The why is because our customers ask for it :)
Kind regards, Laurens
--- Laurens Vets <laurens () daemon be> schrieb am Mi, 29.7.2009:Von: Laurens Vets <laurens () daemon be> Betreff: Re: IPS - Cisco vs. McAfee vs. Tippingpoint An: focus-ids () securityfocus com CC: "Hurgel Bumpf" <l0rd_lunatic () yahoo com> Datum: Mittwoch, 29. Juli 2009, 11:55 Hey Andre,i need to protect a "realtime" website with an inlineIPS from (D)DOS attacks. That's going to be though with an IPS...I had some bad experience with Tippingpoint UnityOne2400 field test. The device dropped to much sessions until all connectivity was lost. After that no investigation was not possible as TP logs all attack information with IPaddress 0.0.0.0The vendor excused this with the layered technologyand passing the IP address from the hardware to the logger would lead to delayed packages)and a McAfee Network Security 4050 appliance.This is unacceptable. i'm now looking forward to test a Cisco IPS 4270-20Who has a good/bad experience with that devices? Is ittrue that all devices don't log ip adresses? If you want to block a DDOS with an IPS, good luck with that :) Normally, most devices do log source and destination addresses. However, depending on the alert generated by the IPS, you still might see 0.0.0.0 as source for instance. This means that the alert triggered with a lot of different source addresses.My dream appliance would be able to run like in a 7day learning mode which counts max new sessions per second, max sessions per client aso. After this 7 days it creates a filter with +x% of the learned values and sets these limits active. I don't think any of the systems mentioned above can actually do this. I'll talk in general terms as I only have experience with Cisco (and other IPSses you didn't mention). IPSes inspect traffic for defined patterns in that traffic. They will generally see that there's a lot of traffic when there's a (D)DOS (and can report some of it. E.g it will notice a SYN flood for instance), but if the traffic is legitimate (e.g. 'normal' HTTP requests to http://company.com, but coming from a lot of different sources) it won't "see" anything bad and can't take action on this traffic. I don't think a Cisco IPS can do statistical analysis of the traffic (E.g. "alert when this type of traffic has an 80% increase over the last 2 hours"). If an IPS sees too much packets to process (legitimate or not), it will either drop them or pass them unanalyzed.A big problem is that i have to install it into theproductive system to get the real values. I dont have any fixed values regarding the new sessions per second and i cant just guess and set values and render the systemoffline.Most inline IPSes can be put inline without actually blocking anything, usually called learning mode or monitoring mode. Hope this helps a bit. -Laurens
----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint, (continued)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Joel Snyder (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Ronny Vaningh (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint foringer () gmail com (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Joel Snyder (Jul 29)
- RE: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- RE: IPS - Cisco vs. McAfee vs. Tippingpoint BARDINI, MICHAEL (Jul 29)
- RE: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Laurens Vets (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Laurens Vets (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Paul Schmehl (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Joel Esler (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Laurens Vets (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Joel Esler (Jul 29)
- RE: IPS - Cisco vs. McAfee vs. Tippingpoint Diego Garay (Jul 29)
- RE: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Gary Halleen (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- RE: IPS - Cisco vs. McAfee vs. Tippingpoint C-Info (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Hurgel Bumpf (Jul 30)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint Trygve Aasheim (Jul 29)
- Re: IPS - Cisco vs. McAfee vs. Tippingpoint info (Jul 30)