[Fwd: Re: tippingpoint]

[Geoff <gpoer () arizona edu>]

Thanks Marc. Not to get to much into tipping point sales speak but we through
200,000 concurrent connections and about 9,000 session establishments per sec at
the box and it did not fall over. The rough numbers we generated for blocking
per sec where 265 packets per sec (dropped and blocks written to the
interfaces). Besides a hardware problem with a miniGbic, we didn't even get it
to hiccup much less fall over. The signature detection is (hear comes the sales
speak) all ASIC based. I will leave that for what it is because I don't know
enough to really talk about the benefits of different hardware architectures.
But it is fast!

Please don't get me wrong. This is not a replacement for IDS. Even the sales guy
from tipping point told me that :). Deep packet inspection and data correlation
are a slow process and better suited to "off" line number crunching (ie. IDS).

Geoff

Marc Quibell wrote:
> Sounds like you have a well thought-out implemetation Geoff. My greatest "fear"
> of IPSes is the fact that placing a device in your network, towards the "top"
> (where all traffic goes thru), a device that has to read the entire contents of
> a packet (not just the headers)....ewwww...scary. I suppose it's no different
> than a Layer 7 firewall, but I would be more confortable going with a mature and
> real-world tested product, like maybe a cisco product. I gotta let you know
> though that we're an ISS shop and we're looking at Proventia real close!
> Currently we use host-based protection, but not on everything. I also use Snort.
> Thanks.
>
> Marc
>
>
>
>
>
>
>
> gpoer () arizona edu on 10/16/2003 08:14:03 PM
>
> To:   Marc Quibell/FBFS@FBFS
> cc:
>
> Subject:  Re: [Snort-users] tippingpoint
>
>
>
> Ok had to respond to this one :)
>
>  > IPS right now is too dangerous to implement. No one in their right mind would
>  > risk the network outages caused by vulnerable IPSes.
>
> Their are plenty of companies running IPS and running it successfully.
> Implementation of an IPS requires that you only implement signatures that have a
> VERY low rate of false positive or traffic that you just flat out don't care if
> it gets dropped. For example: In our testing we dropped ICMP stacheldraht Agent
> to Server Hello packets. It is a very easy sig to spot. the word
> "skillz" inside an ICMP echo reply packet. Rarely are we going to see that one
> in the wild with Business critical traffic. We also dropped ICMP Welchia
> packets, they consist of an echo request with 64 A's. A well known false
> positive for that signature is the Yahoo keep alive packets for Instant
> Messenger. We made the decision that we simply do not care about that traffic.
>
> While I will agree that the Gartner group needs to reevaluate their system for
> recommendations concerning technology. (don't just ask your customers, try
> asking some well established experts) That doesn't mean that IPS is the next
> coming of the anti-christ either (martha steward being the 1st).
>
> Geoff
>
>
>
> Marc Quibell wrote:
>
> > What about it? Who cares what Gartner says? They have no idea what they're
> > talking about, and the clown who wrote that artcle was discredited by IDS
>
> pros,
>
> > when he was forced to confront them. He says IDS is dead because it was
>
> useless
>
> > (too many false alerts [bullcrap, we don't have any], not Gigabit capable
> > [another lie]), not because HIDS was better. Security in layers, this is what
> > it's all about. HIDS is good too. But HIDS don't make IDS dead! He's in his
> > Ivory tower being paid to discredit IDS. Do you really think these people who
> > write these criticizms actually use the product? NO! He also said IDS was not
>
> an
>
> > auditing tool, but was shot down on that issue too, because it is.
> >
> > Policy Auditing is what it's used for as well, "How many of our users are
>
> using
>
> > Kazaa?" -or- "Look at all of our users compromising our network by using
> > GotoMyPc!"
> >
> > What's really cool is using Crystal Reports with the Snort database..YEAH! Do
> > THAT with IPS!
> >
> > IPS right now is too dangerous to implement. No one in their right mind would
> > risk the network outages caused by vulnerable IPSes.
> >
> > Cheese
> >
> > Marc
> >
> >
> > Message: 11
> > Subject: RE: [Snort-users] tippingpoint
> > Date: Thu, 16 Oct 2003 10:34:16 -0400
> > From: "Rich Stryker" <rstryker () virtuallearning net>
> > To: <snort-users () lists sourceforge net>
> >
> > Here is a report by the Gartner Group. It says IDS has been a complete =
> > failure and the host based IDS systems are the way to go until the new =
> > generation firewalls come out.
> >
> > http://techrepublic.com.com/5100-6298-5078279.html
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: SF.net Giveback Program.
> > SourceForge.net hosts over 70,000 Open Source Projects.
> > See the people who have HELPED US provide better services:
> > Click here: http://sourceforge.net/supporters.php
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users