Re: Network hardware IPS

From: Darren Bolding (darren_at_faucet.net)
Date: 10/02/03

  • Next message: Jeffrey.Stebelton_at_bisys.com: "Re: port bonding and taps" 
    Date: Wed, 1 Oct 2003 22:21:50 +0000
To: travis.alexander@lacamas.org

    Travis,

    My company recently evaluated a couple of IDS/IDP(etc) products, and decided
    to implement the Netscreen IDP's.

    We deployed them in multiple locations and have been quite happy.

    During testing, I ran various tests against the IDP's and a few other
    vendors products. In particular, I used Nessus as a typical baseline.

    An example test was to place my collection of desktops and non-production
    servers behind an IDP-100 in bridge mode. I then enabled the IDP to drop
    packets (I also experimented with sending RST's as appropriate) and went
    about normal use for a week or so. No problems (and this was dropping all
    critical and "high" importance attacks) were experienced by myself or others
    using the servers.

    Then, I ran Nessus against the servers without the IDP dropping packets, and
    with it dropping packets (attacks). In the first case (no blocking) given
    that I had set things up intentionally insecure, Nessus found ~75
    vulnerabilities. Then I turned packet/attack dropping on and re-ran the test.

    That test revealed something like 8 "vulnerabilities" which were all of the
    vaguest sort- "Your running a webserver/ftp server", "You have IIS running,
    thats bad!" etc. No real attacks.

    I know that Nessus and other scanners don't by any means include the universe
    of attacks- but it was a decent baseline in my view. A comparison to a
    major routing vendors IDS that we tested was favorable to Netscreen. While
    both systems detected the attacks, when in "protect" mode, the major vendor
    would issue shun/block commands to a firewall- Nessus found a number more
    vulnerabilities in that case. A system that controls other systems has to
    react to what it sees- that makes it hard, if not impossible, to catch that
    first packet. There are plenty of single-packet vulnerabilities out there.

    The logging is excellent, the gui is very nice, and the attack database
    was better than other products I had seen (handy links to Bugtraq/CVE
    id's).

    As a customer, support has been fast and effective- and yes, there have been
    issues that required support. If you aren't a UNIX person, these may be
    more significant. To me, they were more "duh, I should have known that"
    issues. Updates are every Thursday (and emergencies) and seem to be
    informative.

    We run a lot of protocols on non-standard ports, and can charachterize
    inoccent traffic fairly well in certain areas. The ability to apply signatures
    to non-standard ports, and to write custom signatures is significant.

    Perhaps the most useful feature I found was the highly context
    sensitive signatures- I can write signatures that check for a particular
    string in an ftp username for example. Since the rules are ordered, and
    can be terminal or non-terminal, that makes it possible to alarm on any
    userid except for a specific one (just an example, we don't do this).

    All in all, the product was good, and the support has been great. I value
    the sales/SE experience and find that it frequently corelates with how
    seriously a company will support you. Other than the dearth of swag,
    the Netscreen SE and reseller were excellent. I suspect you would get
    the same SE given your location.

    So, yes, we're quite happy with it, both in testing and in production.

    --D

    On Mon, Sep 29, 2003 at 12:55:47PM -0700, travis.alexander@lacamas.org wrote:
    > Has anyone had any personal experience with the NetScreen IDP products? Does
    > it live up the hype that is stated on their website? Does it truly work that
    > way they say? Thanks in advance for replies.
    >
    > Travis Alexander
    > Network Administrator
    > Lacamas Community Credit Union
    > 360-834-3611
    > http://www.lacamas.org
    >
    > -----Original Message-----
    > From: JAVIER OTERO [mailto:jotero@SMARTEKH.com]
    > Sent: Monday, September 29, 2003 9:02 AM
    > To: Alvin Wong; focus-ids@securityfocus.com
    > Subject: RE: Network hardware IPS
    >
    >
    > Netscreen IDP is a good product, uses 8 mechanisms for detect, 3 models,
    > small, medium and large, 3 active modes plu 1 passive (like IDS)
    >
    > Ing. Fco. Javier Otero De Alba
    > Diplomado en Seguridad Inform?tica ITESM CEM
    > Grupo Smartekh
    > Antivirus Expertos
    > Bussiness Continuity
    > Inftegrity
    > 5243-4782 al 84 Ext.300
    > M?xico, D.F.
    >
    >
    >
    > -----Mensaje original-----
    > De: Alvin Wong [mailto:alvin.wong@b2b.com.my]
    > Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
    > Para: focus-ids@securityfocus.com
    > Asunto: Network hardware IPS
    >
    >
    > Hi,
    >
    > I'm interested to find out if anyone can share their experiences or
    > recommend a network hardware IPS that is deployed in front of the
    > gateway which is able to detect attack signatures and at the same time,
    > actively blocking out these attacks, alerting me in the process.
    >
    > This would be different from a passive IDS which depends on correlating
    > the logs every time an alert pops up. An ideal solution would be to be
    > able to detect the patterns and prevent them automatically, can a
    > network IPS do this?
    >
    > I understand that it is possible in some IDS to do a TCP reset after one
    > had confirmed that the connection is not acceptable, can anyone explain
    > whether an IDS that can do this be actually "active" as opposed to
    > passive?
    >
    > It would also be interesting if there could be some amount of trend
    > analysis built in which can review the destination/source ip traffic
    > over time, which can be used to identify particular boxes which are
    > easily targeted, which would mean that more work needs to be done for
    > that box.
    >
    > Regards,
    > Alvin
    >
    >
    >
    > ---------------------------------------------------------------------------
    > Captus Networks IPS 4000
    > Intrusion Prevention and Traffic Shaping Technology to:
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Precisely Define and Implement Network Security & Performance Policies
    > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > ---------------------------------------------------------------------------
    >
    >
    > ---------------------------------------------------------------------------
    > Captus Networks IPS 4000
    > Intrusion Prevention and Traffic Shaping Technology to:
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Precisely Define and Implement Network Security & Performance Policies
    > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > ---------------------------------------------------------------------------
    >
    > ---------------------------------------------------------------------------
    > Captus Networks IPS 4000
    > Intrusion Prevention and Traffic Shaping Technology to:
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Precisely Define and Implement Network Security & Performance Policies
    > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > ---------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------

  • Next message: Jeffrey.Stebelton_at_bisys.com: "Re: port bonding and taps"

    Relevant Pages

    • Re: Network hardware IPS
      ... Encoding attacks, fragment overlap attacks, etc - all come out ... And unfamiliar as I am with the DCOM protocol: ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • Linux based HIDS
      ... Attacks on Red Hat Linux OS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • RE: Network hardware IPS
      ... > all the False Positives he can stomach. ... are going to catch novel or semi-novel attacks using very specific rules ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • RE: Host Based IDS Recommendations?
      ... You can use Secure Agent from Cisco, it has 2 versions server and desktop. ... Subject: Host Based IDS Recommendations? ... > Captus Networks IPS 4000 ... > Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • RE: Network hardware IPS
      ... > Captus Networks IPS 4000 ... > Intrusion Prevention and Traffic Shaping Technology to: ... - Instantly Stop DoS/DDoS Attacks, ...
      (Focus-IDS)