Re: Network hardware IPS

From: cheong frank (chocobofrank_at_hotmail.com)
Date: 10/03/03

  • Next message: Krzysztof Zaraska: "Re: IDS Query?"
    To: darren@faucet.net, travis.alexander@lacamas.org
    Date: Fri, 03 Oct 2003 10:55:39 +0800
    
    

    Dear all,

    What about fortinet ? (http://www.fortinet.com/) which is a integrated IDP, Firewall and Antivirus appliance.

    Also what about prelude IDS ? (http://www.prelude-ids.org/) it seems like a good product which quite a lot of ppl recommend with a good architecture.

    Sorry as I don't fully understand what is it "inline" IDP and so I may not be right on recoomending the above product.

    While I am also considering in deploying an IDS or IDP on our network and is also doing prelimiary stage evaluation. Glad if anyone point me to the right direction.

    Frank

    >From: Darren Bolding <darren@faucet.net>
    >To: travis.alexander@lacamas.org
    >CC: jotero@SMARTEKH.com, alvin.wong@b2b.com.my,focus-ids@securityfocus.com
    >Subject: Re: Network hardware IPS
    >Date: Wed, 1 Oct 2003 22:21:50 +0000
    >
    >Travis,
    >
    >My company recently evaluated a couple of IDS/IDP(etc) products, and decided
    >to implement the Netscreen IDP's.
    >
    >We deployed them in multiple locations and have been quite happy.
    >
    >During testing, I ran various tests against the IDP's and a few other
    >vendors products. In particular, I used Nessus as a typical baseline.
    >
    >An example test was to place my collection of desktops and non-production
    >servers behind an IDP-100 in bridge mode. I then enabled the IDP to drop
    >packets (I also experimented with sending RST's as appropriate) and went
    >about normal use for a week or so. No problems (and this was dropping all
    >critical and "high" importance attacks) were experienced by myself or others
    >using the servers.
    >
    >Then, I ran Nessus against the servers without the IDP dropping packets, and
    >with it dropping packets (attacks). In the first case (no blocking) given
    >that I had set things up intentionally insecure, Nessus found ~75
    >vulnerabilities. Then I turned packet/attack dropping on and re-ran the test.
    >
    >That test revealed something like 8 "vulnerabilities" which were all of the
    >vaguest sort- "Your running a webserver/ftp server", "You have IIS running,
    >thats bad!" etc. No real attacks.
    >
    >I know that Nessus and other scanners don't by any means include the universe
    >of attacks- but it was a decent baseline in my view. A comparison to a
    >major routing vendors IDS that we tested was favorable to Netscreen. While
    >both systems detected the attacks, when in "protect" mode, the major vendor
    >would issue shun/block commands to a firewall- Nessus found a number more
    >vulnerabilities in that case. A system that controls other systems has to
    >react to what it sees- that makes it hard, if not impossible, to catch that
    >first packet. There are plenty of single-packet vulnerabilities out there.
    >
    >The logging is excellent, the gui is very nice, and the attack database
    >was better than other products I had seen (handy links to Bugtraq/CVE
    >id's).
    >
    >As a customer, support has been fast and effective- and yes, there have been
    >issues that required support. If you aren't a UNIX person, these may be
    >more significant. To me, they were more "duh, I should have known that"
    >issues. Updates are every Thursday (and emergencies) and seem to be
    >informative.
    >
    >We run a lot of protocols on non-standard ports, and can charachterize
    >inoccent traffic fairly well in certain areas. The ability to apply signatures
    >to non-standard ports, and to write custom signatures is significant.
    >
    >
    >Perhaps the most useful feature I found was the highly context
    >sensitive signatures- I can write signatures that check for a particular
    >string in an ftp username for example. Since the rules are ordered, and
    >can be terminal or non-terminal, that makes it possible to alarm on any
    >userid except for a specific one (just an example, we don't do this).
    >
    >All in all, the product was good, and the support has been great. I value
    >the sales/SE experience and find that it frequently corelates with how
    >seriously a company will support you. Other than the dearth of swag,
    >the Netscreen SE and reseller were excellent. I suspect you would get
    >the same SE given your location.
    >
    >So, yes, we're quite happy with it, both in testing and in production.
    >
    >--D
    >
    >
    >
    >On Mon, Sep 29, 2003 at 12:55:47PM -0700, travis.alexander@lacamas.org wrote:
    > > Has anyone had any personal experience with the NetScreen IDP products? Does
    > > it live up the hype that is stated on their website? Does it truly work that
    > > way they say? Thanks in advance for replies.
    > >
    > > Travis Alexander
    > > Network Administrator
    > > Lacamas Community Credit Union
    > > 360-834-3611
    > > http://www.lacamas.org
    > >
    > > -----Original Message-----
    > > From: JAVIER OTERO [mailto:jotero@SMARTEKH.com]
    > > Sent: Monday, September 29, 2003 9:02 AM
    > > To: Alvin Wong; focus-ids@securityfocus.com
    > > Subject: RE: Network hardware IPS
    > >
    > >
    > > Netscreen IDP is a good product, uses 8 mechanisms for detect, 3 models,
    > > small, medium and large, 3 active modes plu 1 passive (like IDS)
    > >
    > > Ing. Fco. Javier Otero De Alba
    > > Diplomado en Seguridad Inform?tica ITESM CEM
    > > Grupo Smartekh
    > > Antivirus Expertos
    > > Bussiness Continuity
    > > Inftegrity
    > > 5243-4782 al 84 Ext.300
    > > M?xico, D.F.
    > >
    > >
    > >
    > > -----Mensaje original-----
    > > De: Alvin Wong [mailto:alvin.wong@b2b.com.my]
    > > Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
    > > Para: focus-ids@securityfocus.com
    > > Asunto: Network hardware IPS
    > >
    > >
    > > Hi,
    > >
    > > I'm interested to find out if anyone can share their experiences or
    > > recommend a network hardware IPS that is deployed in front of the
    > > gateway which is able to detect attack signatures and at the same time,
    > > actively blocking out these attacks, alerting me in the process.
    > >
    > > This would be different from a passive IDS which depends on correlating
    > > the logs every time an alert pops up. An ideal solution would be to be
    > > able to detect the patterns and prevent them automatically, can a
    > > network IPS do this?
    > >
    > > I understand that it is possible in some IDS to do a TCP reset after one
    > > had confirmed that the connection is not acceptable, can anyone explain
    > > whether an IDS that can do this be actually "active" as opposed to
    > > passive?
    > >
    > > It would also be interesting if there could be some amount of trend
    > > analysis built in which can review the destination/source ip traffic
    > > over time, which can be used to identify particular boxes which are
    > > easily targeted, which would mean that more work needs to be done for
    > > that box.
    > >
    > > Regards,
    > > Alvin
    > >
    > >
    > >
    > > ---------------------------------------------------------------------------
    > > Captus Networks IPS 4000
    > > Intrusion Prevention and Traffic Shaping Technology to:
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Automatically Control P2P, IM and Spam Traffic
    > > - Precisely Define and Implement Network Security & Performance Policies
    > > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > > ---------------------------------------------------------------------------
    > >
    > >
    > > ---------------------------------------------------------------------------
    > > Captus Networks IPS 4000
    > > Intrusion Prevention and Traffic Shaping Technology to:
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Automatically Control P2P, IM and Spam Traffic
    > > - Precisely Define and Implement Network Security & Performance Policies
    > > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > > ---------------------------------------------------------------------------
    > >
    > > ---------------------------------------------------------------------------
    > > Captus Networks IPS 4000
    > > Intrusion Prevention and Traffic Shaping Technology to:
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Automatically Control P2P, IM and Spam Traffic
    > > - Precisely Define and Implement Network Security & Performance Policies
    > > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    > > ---------------------------------------------------------------------------
    > >
    >
    >---------------------------------------------------------------------------
    >Captus Networks IPS 4000
    >Intrusion Prevention and Traffic Shaping Technology to:
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Precisely Define and Implement Network Security & Performance Policies
    >FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    >http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    >---------------------------------------------------------------------------
    >

    _________________________________________________________________
    Hotmail Extra Storage讓你獲得10MB 額外儲存空間,請即申請! http://join.msn.com/?pgmarket=zh-hk

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Krzysztof Zaraska: "Re: IDS Query?"

    Relevant Pages

    • RE: Network hardware IPS
      ... Subject: Network hardware IPS ... actively blocking out these attacks, ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • Re: Usefulness of Network Intrusion Detection Systems
      ... >track of application data sent over the network as well ... Different applications and protocols present different ... You're forgetting that the IDP may stop the exploit attempting to ... in a university environment where we basically have 15,000 home ...
      (Focus-IDS)
    • No Network Signal
      ... The network is working, ... I would like to add IDP between the Netscreen and the internal network ... straight-> switch (trusted network) ...
      (comp.security.firewalls)