Re: IPS comparison

[Joey Peloquin <joeyp () cotse net>]

Gregory D. McPhee wrote:

> TippingPoint is signature based, catches want is known to be bad.
>
>
>  
I'm evaluating TippingPoint's device right now, and that's not entirely 
true.  The only *static* signatures used are the AV, Spyware, IM, and 
P2P filters.  Everything else is anomaly-based, through the use of 
regex, and the vulnerabilities themselves.  This is why TP claims the 
ability to stop so-called 0-day attacks.

In fact all vendors who claim the ability to stop 0-day attacks do so 
because they are supposed to be filtering on the vulnerability, not an 
exploit signature, static packet anomaly, etc.  Another characteristic 
of these devices is the fact that they do "deep packet inspection", 
rather than a protcol decode and "best guess" based on irregularities in 
the way it's supposed to function.

To the original poster, I'd suggest getting people from the network and 
security side together (if it's not the same people) and discuss *your* 
requirements in a device.  Come up with a list of 10-15 vendors (easily 
done with the wealth of information already posted to the list), send 
out an RFI, and grade their responses against your requirements.  Bring 
the top four in for their presentations, then select the top two to go 
head-to-head.

The testing methodology you use with your finalists would consist of a 
mish-mash of networking and security tests including latency 
measurements, failover, blocking ability under 100% utilization - while 
pushing an update, attacker | victim scenarios using tools like 
metasploit and manual techniques-both with and without load, and 
fragmented attacks using fragroute-with and without load, etc.

Don't forget to get some live pcap captures from your edge, too, so you 
get a peek at what you already know is out there ;)

Good Luck...Joey