Re: Network hardware IPS

• Previous message: Bradberry, John: "RE: port bonding and taps"
• Maybe in reply to: barking phrog: "Re: Network hardware IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: darren@faucet.net, travis.alexander@lacamas.org
Date: Fri, 03 Oct 2003 10:55:39 +0800

Dear all,

What about fortinet ? (http://www.fortinet.com/) which is a integrated IDP, Firewall and Antivirus appliance.

Also what about prelude IDS ? (http://www.prelude-ids.org/) it seems like a good product which quite a lot of ppl recommend with a good architecture.

Sorry as I don't fully understand what is it "inline" IDP and so I may not be right on recoomending the above product.

While I am also considering in deploying an IDS or IDP on our network and is also doing prelimiary stage evaluation. Glad if anyone point me to the right direction.

Frank

>From: Darren Bolding <darren@faucet.net>
>To: travis.alexander@lacamas.org
>CC: jotero@SMARTEKH.com, alvin.wong@b2b.com.my,focus-ids@securityfocus.com
>Subject: Re: Network hardware IPS
>Date: Wed, 1 Oct 2003 22:21:50 +0000
>
>Travis,
>
>My company recently evaluated a couple of IDS/IDP(etc) products, and decided
>to implement the Netscreen IDP's.
>
>We deployed them in multiple locations and have been quite happy.
>
>During testing, I ran various tests against the IDP's and a few other
>vendors products. In particular, I used Nessus as a typical baseline.
>
>An example test was to place my collection of desktops and non-production
>servers behind an IDP-100 in bridge mode. I then enabled the IDP to drop
>packets (I also experimented with sending RST's as appropriate) and went
>about normal use for a week or so. No problems (and this was dropping all
>critical and "high" importance attacks) were experienced by myself or others
>using the servers.
>
>Then, I ran Nessus against the servers without the IDP dropping packets, and
>with it dropping packets (attacks). In the first case (no blocking) given
>that I had set things up intentionally insecure, Nessus found ~75
>vulnerabilities. Then I turned packet/attack dropping on and re-ran the test.
>
>That test revealed something like 8 "vulnerabilities" which were all of the
>vaguest sort- "Your running a webserver/ftp server", "You have IIS running,
>thats bad!" etc. No real attacks.
>
>I know that Nessus and other scanners don't by any means include the universe
>of attacks- but it was a decent baseline in my view. A comparison to a
>major routing vendors IDS that we tested was favorable to Netscreen. While
>both systems detected the attacks, when in "protect" mode, the major vendor
>would issue shun/block commands to a firewall- Nessus found a number more
>vulnerabilities in that case. A system that controls other systems has to
>react to what it sees- that makes it hard, if not impossible, to catch that
>first packet. There are plenty of single-packet vulnerabilities out there.
>
>The logging is excellent, the gui is very nice, and the attack database
>was better than other products I had seen (handy links to Bugtraq/CVE
>id's).
>
>As a customer, support has been fast and effective- and yes, there have been
>issues that required support. If you aren't a UNIX person, these may be
>more significant. To me, they were more "duh, I should have known that"
>issues. Updates are every Thursday (and emergencies) and seem to be
>informative.
>
>We run a lot of protocols on non-standard ports, and can charachterize
>inoccent traffic fairly well in certain areas. The ability to apply signatures
>to non-standard ports, and to write custom signatures is significant.
>
>
>Perhaps the most useful feature I found was the highly context
>sensitive signatures- I can write signatures that check for a particular
>string in an ftp username for example. Since the rules are ordered, and
>can be terminal or non-terminal, that makes it possible to alarm on any
>userid except for a specific one (just an example, we don't do this).
>
>All in all, the product was good, and the support has been great. I value
>the sales/SE experience and find that it frequently corelates with how
>seriously a company will support you. Other than the dearth of swag,
>the Netscreen SE and reseller were excellent. I suspect you would get
>the same SE given your location.
>
>So, yes, we're quite happy with it, both in testing and in production.
>
>--D
>
>
>
>On Mon, Sep 29, 2003 at 12:55:47PM -0700, travis.alexander@lacamas.org wrote:
> > Has anyone had any personal experience with the NetScreen IDP products? Does
> > it live up the hype that is stated on their website? Does it truly work that
> > way they say? Thanks in advance for replies.
> >
> > Travis Alexander
> > Network Administrator
> > Lacamas Community Credit Union
> > 360-834-3611
> > http://www.lacamas.org
> >
> > -----Original Message-----
> > From: JAVIER OTERO [mailto:jotero@SMARTEKH.com]
> > Sent: Monday, September 29, 2003 9:02 AM
> > To: Alvin Wong; focus-ids@securityfocus.com
> > Subject: RE: Network hardware IPS
> >
> >
> > Netscreen IDP is a good product, uses 8 mechanisms for detect, 3 models,
> > small, medium and large, 3 active modes plu 1 passive (like IDS)
> >
> > Ing. Fco. Javier Otero De Alba
> > Diplomado en Seguridad Inform?tica ITESM CEM
> > Grupo Smartekh
> > Antivirus Expertos
> > Bussiness Continuity
> > Inftegrity
> > 5243-4782 al 84 Ext.300
> > M?xico, D.F.
> >
> >
> >
> > -----Mensaje original-----
> > De: Alvin Wong [mailto:alvin.wong@b2b.com.my]
> > Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
> > Para: focus-ids@securityfocus.com
> > Asunto: Network hardware IPS
> >
> >
> > Hi,
> >
> > I'm interested to find out if anyone can share their experiences or
> > recommend a network hardware IPS that is deployed in front of the
> > gateway which is able to detect attack signatures and at the same time,
> > actively blocking out these attacks, alerting me in the process.
> >
> > This would be different from a passive IDS which depends on correlating
> > the logs every time an alert pops up. An ideal solution would be to be
> > able to detect the patterns and prevent them automatically, can a
> > network IPS do this?
> >
> > I understand that it is possible in some IDS to do a TCP reset after one
> > had confirmed that the connection is not acceptable, can anyone explain
> > whether an IDS that can do this be actually "active" as opposed to
> > passive?
> >
> > It would also be interesting if there could be some amount of trend
> > analysis built in which can review the destination/source ip traffic
> > over time, which can be used to identify particular boxes which are
> > easily targeted, which would mean that more work needs to be done for
> > that box.
> >
> > Regards,
> > Alvin
> >
> >
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Automatically Control P2P, IM and Spam Traffic
> > - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Automatically Control P2P, IM and Spam Traffic
> > - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> > - Automatically Control P2P, IM and Spam Traffic
> > - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >
>
>---------------------------------------------------------------------------
>Captus Networks IPS 4000
>Intrusion Prevention and Traffic Shaping Technology to:
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Precisely Define and Implement Network Security & Performance Policies
>FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
>http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
>---------------------------------------------------------------------------
>

_________________________________________________________________
Hotmail Extra Storage讓你獲得10MB 額外儲存空間，請即申請！ http://join.msn.com/?pgmarket=zh-hk

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

• Previous message: Bradberry, John: "RE: port bonding and taps"
• Maybe in reply to: barking phrog: "Re: Network hardware IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]