Re: location of an IPS

From: Kurt Seifried (bt_at_seifried.org)
Date: 10/21/05

  • Next message: FinAckSyn: "Re: location of an IPS" 
    To: "FinAckSyn" <finacksyn@yahoo.co.uk>, "Doug Fox" <dfox168@hotmail.com>, <focus-ids@securityfocus.com>
Date: Thu, 20 Oct 2005 23:05:18 -0600

    Uhh your math is wrong. You're assuming each packet is a new connection/etc.
    I can saturate my backend 100 megabit network with 1 connection (rsync
    backups). 5,000 connections per second is a reasonable amount of traffic
    (5,000 simaltaneous emails, www sessions, DNS queries, etc, it's certainly
    possible, and chances are it will consume a significant amount of
    bandwidth).

    -Kurt Seifried

    > An IPS should be placed in front of the firewall, to
    > provide complete network protection.
    > However, the Unity 50 is quite low spec - 5,000
    > connections per second, 5,000 concurrent connections.
    > Bearing in mind most Check Point firewalls have a
    > default connection table size of 40,000 (?)
    > connections, then putting the Unity 50 in front of
    > your firewall would be a bottleneck.
    > Assuming small packet size (512bits per packet), then
    > 5,000 of these per second equates to just under 3Mbs.
    > If your Internet feed is less than this, then no
    > problem. If it's higher, then the Unity 50 would not
    > be able to handle a 3Mbs pipe full of small packets.
    > You should really design your perimeter with this
    > worse case scenario in mind, especially if you have
    > negotiated burst rates with your ISP and your ISP feed
    > can suddenly shoot up in usage.
    > Port scans should be blocked by the firewall - all
    > irrelevant ports are discarded at this point. I'm not
    > sure how the Unity 50 handles port scans, I haven't
    > played with one yet... ;)
    >
    > Regards,
    >
    > Matt
    >
    >
    >
    >
    > --- Doug Fox <dfox168@hotmail.com> wrote:
    >
    >> I'm sorry for this dumb question, which may have
    >> been answered many times.
    >>
    >> Where should one place an TippingPoint Unity 50 IPS
    >> device? Behind or in
    >> front of a firewall?
    >>
    >> I have a/the TippingPoint behind a Check Point
    >> firewall. Even though we
    >> externally and internally port-scanned the firewall
    >> and the IPS many times,
    >> the activity log did not contain any record of the
    >> "attacks".
    >>
    >> What am I missing here? Any pointers are
    >> appreciated.
    >>
    >> Thanks,
    >>
    >>
    > ------------------------------------------------------------------------
    >> Test Your IDS
    >>
    >> Is your IDS deployed correctly?
    >> Find out quickly and easily by testing it
    >> with real-world attacks from CORE IMPACT.
    >> Go to
    >>
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >>
    >> to learn more.
    >>
    > ------------------------------------------------------------------------
    >>
    >>
    >
    >
    >
    >
    > ___________________________________________________________
    > To help you stay safe and secure online, we've developed the all new
    > Yahoo! Security Centre. http://uk.security.yahoo.com
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: FinAckSyn: "Re: location of an IPS"

    Relevant Pages

    • Re: New to IPFW and would like critique...
      ... The firewall ... You log a *lot* of types of connections that aren't particularly ... > # Outside interface network and netmask and ip ... packet coming from a port 53 and going to, say, port 137. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: location of an IPS
      ... An IPS should be placed in front of the firewall, ... However, the Unity 50 is quite low spec - 5,000 ... connections per second, 5,000 concurrent connections. ... > Where should one place an TippingPoint Unity 50 IPS ...
      (Focus-IDS)
    • Re: [Full-Disclosure] Stateful Packet Inspection
      ... > The original message has some merit with respect to netfilter - the ... > Linux kernel firewall is capable of looking at headers only. ... A "packet filter" is not supposed to look into this kind of stuff. ... > connections to overflow the firewall's capability. ...
      (Full-Disclosure)
    • Re: weird scans from port 80
      ... > with a RST packet. ... > server which has clients with dynamic IP address. ... > How many open connections of this kind can the server ...
      (comp.os.linux.security)
    • Re: ipfw limit src-addr woes
      ... a packet is not dropped on a condition that fails a skipto test. ... Just do a "skipto" when there's a> state entry and that's it. ... And that's why the counter grows for> established connections too, even though there's a "setup" modifier. ...
      (freebsd-net)