Snort mailing list archives
[Fwd: Re: tippingpoint]
From: Geoff <gpoer () arizona edu>
Date: Fri, 17 Oct 2003 10:55:06 -0700
Thanks Marc. Not to get to much into tipping point sales speak but we through 200,000 concurrent connections and about 9,000 session establishments per sec at the box and it did not fall over. The rough numbers we generated for blocking per sec where 265 packets per sec (dropped and blocks written to the interfaces). Besides a hardware problem with a miniGbic, we didn't even get it to hiccup much less fall over. The signature detection is (hear comes the sales speak) all ASIC based. I will leave that for what it is because I don't know enough to really talk about the benefits of different hardware architectures. But it is fast! Please don't get me wrong. This is not a replacement for IDS. Even the sales guy from tipping point told me that :). Deep packet inspection and data correlation are a slow process and better suited to "off" line number crunching (ie. IDS). Geoff Marc Quibell wrote:
Sounds like you have a well thought-out implemetation Geoff. My greatest "fear" of IPSes is the fact that placing a device in your network, towards the "top" (where all traffic goes thru), a device that has to read the entire contents of a packet (not just the headers)....ewwww...scary. I suppose it's no different than a Layer 7 firewall, but I would be more confortable going with a mature and real-world tested product, like maybe a cisco product. I gotta let you know though that we're an ISS shop and we're looking at Proventia real close! Currently we use host-based protection, but not on everything. I also use Snort. Thanks. Marc gpoer () arizona edu on 10/16/2003 08:14:03 PM To: Marc Quibell/FBFS@FBFS cc: Subject: Re: [Snort-users] tippingpoint Ok had to respond to this one :) > IPS right now is too dangerous to implement. No one in their right mind would > risk the network outages caused by vulnerable IPSes. Their are plenty of companies running IPS and running it successfully. Implementation of an IPS requires that you only implement signatures that have a VERY low rate of false positive or traffic that you just flat out don't care if it gets dropped. For example: In our testing we dropped ICMP stacheldraht Agent to Server Hello packets. It is a very easy sig to spot. the word "skillz" inside an ICMP echo reply packet. Rarely are we going to see that one in the wild with Business critical traffic. We also dropped ICMP Welchia packets, they consist of an echo request with 64 A's. A well known false positive for that signature is the Yahoo keep alive packets for Instant Messenger. We made the decision that we simply do not care about that traffic. While I will agree that the Gartner group needs to reevaluate their system for recommendations concerning technology. (don't just ask your customers, try asking some well established experts) That doesn't mean that IPS is the next coming of the anti-christ either (martha steward being the 1st). Geoff Marc Quibell wrote:What about it? Who cares what Gartner says? They have no idea what they're talking about, and the clown who wrote that artcle was discredited by IDSpros,when he was forced to confront them. He says IDS is dead because it wasuseless(too many false alerts [bullcrap, we don't have any], not Gigabit capable [another lie]), not because HIDS was better. Security in layers, this is what it's all about. HIDS is good too. But HIDS don't make IDS dead! He's in his Ivory tower being paid to discredit IDS. Do you really think these people who write these criticizms actually use the product? NO! He also said IDS was notanauditing tool, but was shot down on that issue too, because it is. Policy Auditing is what it's used for as well, "How many of our users areusingKazaa?" -or- "Look at all of our users compromising our network by using GotoMyPc!" What's really cool is using Crystal Reports with the Snort database..YEAH! Do THAT with IPS! IPS right now is too dangerous to implement. No one in their right mind would risk the network outages caused by vulnerable IPSes. Cheese Marc Message: 11 Subject: RE: [Snort-users] tippingpoint Date: Thu, 16 Oct 2003 10:34:16 -0400 From: "Rich Stryker" <rstryker () virtuallearning net> To: <snort-users () lists sourceforge net> Here is a report by the Gartner Group. It says IDS has been a complete = failure and the host based IDS systems are the way to go until the new = generation firewalls come out. http://techrepublic.com.com/5100-6298-5078279.html ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & ExpoThe Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Fwd: Re: tippingpoint] Geoff (Oct 17)
- Re: [Fwd: Re: tippingpoint] Josh Berry (Oct 17)
- Re: [Fwd: Re: tippingpoint] Geoff (Oct 17)
- Re: [Fwd: Re: tippingpoint] Gary Flynn (Oct 17)
- Re: [Fwd: Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- RE: [Fwd: Re: tippingpoint] Bob Walder (Oct 17)
- Re: [Fwd: Re: tippingpoint] Josh Berry (Oct 17)