Re: [Fwd: Re: tippingpoint]

["Josh Berry" <josh.berry () netschematics com>]

What tools did you use to test these concurrent connections?  I am
currently looking for a good product to test the validity of vendors data
sheets (in other words when they say it handles 100,000 connections per
second I want to verify that it really does).


> Thanks Marc. Not to get to much into tipping point sales speak but we
> through
> 200,000 concurrent connections and about 9,000 session establishments per
> sec at
> the box and it did not fall over. The rough numbers we generated for
> blocking
> per sec where 265 packets per sec (dropped and blocks written to the
> interfaces). Besides a hardware problem with a miniGbic, we didn't even
> get it
> to hiccup much less fall over. The signature detection is (hear comes the
> sales
> speak) all ASIC based. I will leave that for what it is because I don't
> know
> enough to really talk about the benefits of different hardware
> architectures.
> But it is fast!
>
> Please don't get me wrong. This is not a replacement for IDS. Even the
> sales guy
> from tipping point told me that :). Deep packet inspection and data
> correlation
> are a slow process and better suited to "off" line number crunching (ie.
> IDS).
>
> Geoff
>
> Marc Quibell wrote:
> > Sounds like you have a well thought-out implemetation Geoff. My greatest
> > "fear"
> > of IPSes is the fact that placing a device in your network, towards the
> > "top"
> > (where all traffic goes thru), a device that has to read the entire
> > contents of
> > a packet (not just the headers)....ewwww...scary. I suppose it's no
> > different
> > than a Layer 7 firewall, but I would be more confortable going with a
> > mature and
> > real-world tested product, like maybe a cisco product. I gotta let you
> > know
> > though that we're an ISS shop and we're looking at Proventia real close!
> > Currently we use host-based protection, but not on everything. I also
> > use Snort.
> > Thanks.
> >
> > Marc
> >
> >
> >
> >
> >
> >
> >
> > gpoer () arizona edu on 10/16/2003 08:14:03 PM
> >
> > To:   Marc Quibell/FBFS@FBFS
> > cc:
> >
> > Subject:  Re: [Snort-users] tippingpoint
> >
> >
> >
> > Ok had to respond to this one :)
> >
> >  > IPS right now is too dangerous to implement. No one in their right
> > mind would
> >  > risk the network outages caused by vulnerable IPSes.
> >
> > Their are plenty of companies running IPS and running it successfully.
> > Implementation of an IPS requires that you only implement signatures
> > that have a
> > VERY low rate of false positive or traffic that you just flat out don't
> > care if
> > it gets dropped. For example: In our testing we dropped ICMP
> > stacheldraht Agent
> > to Server Hello packets. It is a very easy sig to spot. the word
> > "skillz" inside an ICMP echo reply packet. Rarely are we going to see
> > that one
> > in the wild with Business critical traffic. We also dropped ICMP Welchia
> > packets, they consist of an echo request with 64 A's. A well known false
> > positive for that signature is the Yahoo keep alive packets for Instant
> > Messenger. We made the decision that we simply do not care about that
> > traffic.
> >
> > While I will agree that the Gartner group needs to reevaluate their
> > system for
> > recommendations concerning technology. (don't just ask your customers,
> > try
> > asking some well established experts) That doesn't mean that IPS is the
> > next
> > coming of the anti-christ either (martha steward being the 1st).
> >
> > Geoff
> >
> >
> >
> > Marc Quibell wrote:
> >
> > > What about it? Who cares what Gartner says? They have no idea what
> > > they're
> > > talking about, and the clown who wrote that artcle was discredited by
> > > IDS
> >
> > pros,
> >
> > > when he was forced to confront them. He says IDS is dead because it was
> >
> > useless
> >
> > > (too many false alerts [bullcrap, we don't have any], not Gigabit
> > > capable
> > > [another lie]), not because HIDS was better. Security in layers, this is
> > > what
> > > it's all about. HIDS is good too. But HIDS don't make IDS dead! He's in
> > > his
> > > Ivory tower being paid to discredit IDS. Do you really think these
> > > people who
> > > write these criticizms actually use the product? NO! He also said IDS
> > > was not
> >
> > an
> >
> > > auditing tool, but was shot down on that issue too, because it is.
> > >
> > > Policy Auditing is what it's used for as well, "How many of our users
> > > are
> >
> > using
> >
> > > Kazaa?" -or- "Look at all of our users compromising our network by using
> > > GotoMyPc!"
> > >
> > > What's really cool is using Crystal Reports with the Snort
> > > database..YEAH! Do
> > > THAT with IPS!
> > >
> > > IPS right now is too dangerous to implement. No one in their right mind
> > > would
> > > risk the network outages caused by vulnerable IPSes.
> > >
> > > Cheese
> > >
> > > Marc
> > >
> > >
> > > Message: 11
> > > Subject: RE: [Snort-users] tippingpoint
> > > Date: Thu, 16 Oct 2003 10:34:16 -0400
> > > From: "Rich Stryker" <rstryker () virtuallearning net>
> > > To: <snort-users () lists sourceforge net>
> > >
> > > Here is a report by the Gartner Group. It says IDS has been a complete =
> > > failure and the host based IDS systems are the way to go until the new =
> > > generation firewalls come out.
> > >
> > > http://techrepublic.com.com/5100-6298-5078279.html
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: SF.net Giveback Program.
> > > SourceForge.net hosts over 70,000 Open Source Projects.
> > > See the people who have HELPED US provide better services:
> > > Click here: http://sourceforge.net/supporters.php
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------
> This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
> The Event For Linux Datacenter Solutions & Strategies in The Enterprise
> Linux in the Boardroom; in the Front Office; & in the Server Room
> http://www.enterpriselinuxforum.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users