RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

From: Gary Halleen (ghalleen) (ghalleen_at_cisco.com)
Date: 10/14/05

  • Next message: byte_jump: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
    Date: Fri, 14 Oct 2005 13:26:29 -0700
    To: "Tim Holman" <tim_holman@hotmail.com>, "Jonathan Gauntt" <jon0966@yahoo.com>, <focus-ids@securityfocus.com>
    
    

    The IDS-4250, with 5.0 or later code on it, will function as either an
    IDS, or an IPS, or both.

    Multiple Cisco 4200-series sensors can be clustered through etherchannel
    load-balancing to scale throughput, as well as provide failure
    protection, if your needs change. This is available both in passive
    mode (IDS) and inline modes (IPS).

    Gary

    -----Original Message-----
    From: Tim Holman [mailto:tim_holman@hotmail.com]
    Sent: Thursday, October 13, 2005 4:32 AM
    To: Jonathan Gauntt; focus-ids@securityfocus.com
    Subject: Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

    Hi Jonathan,

    Wouldn't you rather block bad traffic, rather than detect it?
    Most companies are moving away from IDS as a protection mechanism,
    because:

    1) It only detects, and doesn't effectively block intrusions
    2) Problems with false positives, as by using pattern matching
    signatures, there is always a chance that these patterns also appear in
    valid traffic
    3) Management overheads. An IDS can only be a reasonably effective
    prevention method if there is someone on hand 24/7 to monitor logs and
    take immediate action on intrusions. Even then , the intrusion has got
    in, as admins very rarely use the active blocking features of an IDS
    (namely sending RST packets to kill connections, or modifying upstream
    ACLs), as these are too likely to have an effect on valid traffic
    4) There is absolutely no protection for rate-based attacks (SYN, TCP,
    UDP
    floods)
    5) Without maintaining a L3/4 connection/state table, there is no way
    an IDS can be truly stateful. 100% statefulness means that everything
    from the initial SYN to the final RST/FIN packet of a connection is
    stored in a connection table. This requires the device to be INLINE,
    and operating at L3. This is the only way a protection device can
    provide effective defence against L3 attacks. An offline IDS cannot do
    this.

    I would recommend looking at IPS products instead, so something that you
    can postion inline and get immediate value from.
    If you feel the Cisco IDS is getting a little tired, then an IPS will
    also help take the load off it, by getting rid of Internet white noise,
    providing additional firewall filtering, and also defence against
    rate-based attacks.
    A true IPS will focus on defining what is GOOD traffic, and assuming all
    else is BAD (and dropping it). By doing this, zero-day attacks can be
    virtually be eliminated, as they all ultimately rely on abuse of a valid
    protocol in the hope of slipping past your protection mechanisms and
    onto your network.
    This works quite well in conjucntion with an IDS, that focuses on
    searching traffic for badness.
    Replacing like for like (IDS for IDS) is not going to give you much
    value, and even the market analysts are recommending against it.
    IDS isn't dead. Far off it, but use it for what it's good for -
    DETECTION and FORENSICS, and not as a device that can insure your
    network against rate-based and zero-day attacks.

    Regards,

    Tim

    ----- Original Message -----
    From: "Jonathan Gauntt" <jon0966@yahoo.com>
    To: <focus-ids@securityfocus.com>
    Sent: Wednesday, October 12, 2005 5:57 PM
    Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

    > Hi,
    >
    > We are currently running a Cisco IDS 4250 that monitors our internal
    > traffic. We essentially use this device for historical reporting
    because
    > we
    > are a medical oriented facility with at least 100 3rd party
    connections to
    > us besides the 8000 employees.
    >
    > I am considering upgrading the Cisco IDS 4250 to the XL to handle
    higher
    > throughput but have been evaluating the Sourcefire IS300 and their RNA
    > sensor.
    >
    > I have the ability to purchase the Sourcefire unit or upgrade the
    4250.
    >
    > Sourcefire claims that they are superior with state full IDS
    inspection
    > and
    > an overall better product.
    >
    > Does anyone have any thoughts on these two products? I have about
    $100k
    > in
    > my budget to spend.
    >
    > Thanks,
    >
    >
    > Jonathan
    >
    >
    >
    >
    ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    ------------------------------------------------------------------------
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

    to learn more.
    ------------------------------------------------------------------------

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: byte_jump: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"

    Relevant Pages

    • Re: IDS evaluations procedures
      ... an IPS when the attack was not a variant strain of a previous attack/virii ... like an IDS are they not? ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ...
      (Focus-IDS)
    • RE: IDS evaluations procedures
      ... An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com this will stop a significant proportion of HTTP noise before signature matching. ... Conversely with IDS you just don’t have the ability to white list traffic in this way, I guess you could RST any request that didn’t match the URL but I think fragmented buffer overflows and the like could sneak through - so it’s risky. ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... If you take a proper IPS, and by that I don't mean an IDS that has been ... followed by rate limiting and Layer 4 checks before it ...
      (Focus-IDS)
    • Re: Fingerprinting IDS sensors?
      ... The nature of the response will tell you the nature of the defenses. ... That depends on if the IDS is monitored or not. ... An IPS will actively interfere with traffic patterns and you can find it by launching sample attacks at a target and watching for a response. ... With sufficient profiles of a set of IPS it would be possible to craft a tool that could identify which IPS is inline based on which attacks are blocked and how. ...
      (Focus-IDS)
    • RE: IDS evaluations procedures
      ... Tim might be making more emphasis on the protective nature of IPS, ... I disagree with the "real-world protection against ... IPS is helpful to stop, at least, known attacks, while requiring less ... attention than with IDS; on the other hand, IDS is helpful to detect a wider ...
      (Focus-IDS)