RE: Network hardware IPS

From: Bob Walder (bwalder_at_spamcop.net)
Date: 09/30/03

  • Next message: Cory Stoker: "Re: Network hardware IPS"
    To: "'Alvin Wong'" <alvin.wong@b2b.com.my>
    Date: Tue, 30 Sep 2003 18:17:09 +0200
    
    

    Well inasmuch as the report is not ready RIGHT NOW this is probably not
    what you want to hear... But.... We are currently testing a whole bunch
    of these IPS doohickeys and the report - including exactly the test
    results you are seeking (amongst many others), will be published in
    December.

    In the mean time, check out our latest IDS reports at www.nss.co.uk/ids
    and www.nss.co.uk/gigabitids

    Regards,

    Bob Walder
    Director
    The NSS Group

    ------------------------------------------------------------------------
    ----------
    This message is intended for the addressee only and may contain
    information that may be of a privileged or confidential nature. If you
    have received this message in error, please notify the sender and
    destroy the message immediately. Unauthorised use or reproduction of
    this message is strictly prohibited.

    >> -----Original Message-----
    >> From: Alvin Wong [mailto:alvin.wong@b2b.com.my]
    >> Sent: 30 September 2003 03:46
    >> To: Jake Babbin
    >> Cc: JAVIER OTERO; focus-ids@securityfocus.com
    >> Subject: Network hardware IPS
    >>
    >>
    >> Hi,
    >>
    >> Thanks for the recommendations, I'm concerned about
    >> performance issues when an IPS is plugged in, is there any
    >> statistics by any independent reviewer about performance
    >> hits inline as i believe this would be an important issue.
    >>
    >> It would be good if they were any reviews that would include
    >> graphs and performance deterioration in terms of throughput
    >> performance after an IPS has been put in.
    >>
    >> What would be interesting though is whether the IPS fulfills
    >> the expected requirements which primarily to me is to do a
    >> good job in dealing with potential attacks and allow the
    >> administrator more time in other tasks.
    >>
    >> To me, the prospect of using IDS and reviewing logs everyday
    >> seems like a very time consuming prospect, any opinions on
    >> this from any who are currently in such a situation?
    >>
    >> I've evaluated some IDS products and felt that the
    >> management console is taking up a lot of resources
    >> especially when it is extracting data from the IDS appliance
    >> and refreshing constantly, any similar experiences?
    >>
    >> Also, my question to any is the following
    >> "One note of caution on TCP Reset is not a preferred method
    >> of blocking attacks according to some security experts. " Alan Shimel
    >>
    >> Why isn't TCP reset a preferred method of blocking?
    >>
    >> Regards,
    >> Alvin
    >>
    >> On Tue, 2003-09-30 at 06:24, Jake Babbin wrote:
    >> > Sure Netscreen is a good choice if you like up to 40%
    >> performance drop
    >> > inline!
    >> >
    >> >
    >> > ----- Original Message -----
    >> > From: "JAVIER OTERO" <jotero@SMARTEKH.com>
    >> > To: "Alvin Wong" <alvin.wong@b2b.com.my>;
    >> > <focus-ids@securityfocus.com>
    >> > Sent: Monday, September 29, 2003 12:02 PM
    >> > Subject: RE: Network hardware IPS
    >> >
    >> >
    >> > Netscreen IDP is a good product, uses 8 mechanisms for detect, 3
    >> > models, small, medium and large, 3 active modes plu 1
    >> passive (like
    >> > IDS)
    >> >
    >> > Ing. Fco. Javier Otero De Alba
    >> > Diplomado en Seguridad Informática ITESM CEM
    >> > Grupo Smartekh
    >> > Antivirus Expertos
    >> > Bussiness Continuity
    >> > Inftegrity
    >> > 5243-4782 al 84 Ext.300
    >> > México, D.F.
    >> >
    >> >
    >> >
    >> > -----Mensaje original-----
    >> > De: Alvin Wong [mailto:alvin.wong@b2b.com.my]
    >> > Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
    >> > Para: focus-ids@securityfocus.com
    >> > Asunto: Network hardware IPS
    >> >
    >> >
    >> > Hi,
    >> >
    >> > I'm interested to find out if anyone can share their
    >> experiences or
    >> > recommend a network hardware IPS that is deployed in front of the
    >> > gateway which is able to detect attack signatures and at the same
    >> > time, actively blocking out these attacks, alerting me in
    >> the process.
    >> >
    >> > This would be different from a passive IDS which depends on
    >> > correlating the logs every time an alert pops up. An ideal
    >> solution
    >> > would be to be able to detect the patterns and prevent them
    >> > automatically, can a network IPS do this?
    >> >
    >> > I understand that it is possible in some IDS to do a TCP
    >> reset after
    >> > one had confirmed that the connection is not acceptable,
    >> can anyone
    >> > explain whether an IDS that can do this be actually "active" as
    >> > opposed to passive?
    >> >
    >> > It would also be interesting if there could be some amount
    >> of trend
    >> > analysis built in which can review the destination/source
    >> ip traffic
    >> > over time, which can be used to identify particular boxes
    >> which are
    >> > easily targeted, which would mean that more work needs to
    >> be done for
    >> > that box.
    >> >
    >> > Regards,
    >> > Alvin
    >> >
    >> >
    >> >
    >> >
    >> -------------------------------------------------------------
    >> ---------
    >> > -----
    >> > Captus Networks IPS 4000
    >> > Intrusion Prevention and Traffic Shaping Technology to:
    >> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    >> > - Automatically Control P2P, IM and Spam Traffic
    >> > - Precisely Define and Implement Network Security &
    >> Performance Policies
    >> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >> >
    >> >>
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    >> >
    >> -------------------------------------------------------------
    >> --------------
    >> >
    >> >
    >> >
    >> -------------------------------------------------------------
    >> ---------
    >> > -----
    >> > Captus Networks IPS 4000
    >> > Intrusion Prevention and Traffic Shaping Technology to:
    >> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    >> > - Automatically Control P2P, IM and Spam Traffic
    >> > - Precisely Define and Implement Network Security &
    >> Performance Policies
    >> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >> >
    >> >>
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    >> >
    >> -------------------------------------------------------------
    >> --------------
    >> >
    >> >
    >>
    >>
    >> -------------------------------------------------------------
    >> --------------
    >> Captus Networks IPS 4000
    >> Intrusion Prevention and Traffic Shaping Technology to:
    >> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    >> - Automatically Control P2P, IM and Spam Traffic
    >> - Precisely Define and Implement Network Security &
    >> Performance Policies FREE Vulnerability Assessment Toolkit -
    >> WhitePapers - Live Demo
    >> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    >> -------------------------------------------------------------
    >> --------------
    >>

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Cory Stoker: "Re: Network hardware IPS"