Re: location of an IPS
From: FinAckSyn (finacksyn_at_yahoo.co.uk)
Date: 10/21/05
- Previous message: Kurt Seifried: "Re: location of an IPS"
- In reply to: Kurt Seifried: "Re: location of an IPS"
- Next in thread: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Maybe reply: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Oct 2005 09:22:51 +0100 (BST) To: Kurt Seifried <bt@seifried.org>, Doug Fox <dfox168@hotmail.com>, focus-ids@securityfocus.com
Worst case scenario, you have 5,000 SYN Packets
(equates to approx 3Mbs), all trying to establish a
conection.
Each of these will create a flow/connection table
entry on the Unity 50, so 5,000 packets equates to
5,000 (half) connections per second.
So I would always design a perimeter solution with
this in mind.
Remember, I'm talking worst case scenario, and not
what would be in a typical stream - 5,000 connections
can easily run into a gig.
But it's not normal traffic we want to deal with using
an IPS - it's the abnormal stuff - bad content and
unacceptable rates.
Start with the worst possible thing that could happen,
and you've got yourself a decent security solution.
Under engineer, and you've only got yourself to blame
when it all goes tits up. :)
Matt
--- Kurt Seifried <bt@seifried.org> wrote:
> Uhh your math is wrong. You're assuming each packet
> is a new connection/etc.
> I can saturate my backend 100 megabit network with 1
> connection (rsync
> backups). 5,000 connections per second is a
> reasonable amount of traffic
> (5,000 simaltaneous emails, www sessions, DNS
> queries, etc, it's certainly
> possible, and chances are it will consume a
> significant amount of
> bandwidth).
>
> -Kurt Seifried
>
>
> > An IPS should be placed in front of the firewall,
> to
> > provide complete network protection.
> > However, the Unity 50 is quite low spec - 5,000
> > connections per second, 5,000 concurrent
> connections.
> > Bearing in mind most Check Point firewalls have a
> > default connection table size of 40,000 (?)
> > connections, then putting the Unity 50 in front of
> > your firewall would be a bottleneck.
> > Assuming small packet size (512bits per packet),
> then
> > 5,000 of these per second equates to just under
> 3Mbs.
> > If your Internet feed is less than this, then no
> > problem. If it's higher, then the Unity 50 would
> not
> > be able to handle a 3Mbs pipe full of small
> packets.
> > You should really design your perimeter with this
> > worse case scenario in mind, especially if you
> have
> > negotiated burst rates with your ISP and your ISP
> feed
> > can suddenly shoot up in usage.
> > Port scans should be blocked by the firewall - all
> > irrelevant ports are discarded at this point. I'm
> not
> > sure how the Unity 50 handles port scans, I
> haven't
> > played with one yet... ;)
> >
> > Regards,
> >
> > Matt
> >
> >
> >
> >
> > --- Doug Fox <dfox168@hotmail.com> wrote:
> >
> >> I'm sorry for this dumb question, which may have
> >> been answered many times.
> >>
> >> Where should one place an TippingPoint Unity 50
> IPS
> >> device? Behind or in
> >> front of a firewall?
> >>
> >> I have a/the TippingPoint behind a Check Point
> >> firewall. Even though we
> >> externally and internally port-scanned the
> firewall
> >> and the IPS many times,
> >> the activity log did not contain any record of
> the
> >> "attacks".
> >>
> >> What am I missing here? Any pointers are
> >> appreciated.
> >>
> >> Thanks,
> >>
> >>
> >
>
------------------------------------------------------------------------
> >> Test Your IDS
> >>
> >> Is your IDS deployed correctly?
> >> Find out quickly and easily by testing it
> >> with real-world attacks from CORE IMPACT.
> >> Go to
> >>
> >
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >>
> >> to learn more.
> >>
> >
>
------------------------------------------------------------------------
> >>
> >>
> >
> >
> >
> >
> >
>
___________________________________________________________
> > To help you stay safe and secure online, we've
> developed the all new
> > Yahoo! Security Centre.
> http://uk.security.yahoo.com
> >
> >
>
------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> >
>
------------------------------------------------------------------------
> >
>
>
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Kurt Seifried: "Re: location of an IPS"
- In reply to: Kurt Seifried: "Re: location of an IPS"
- Next in thread: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Maybe reply: asalo_at_tippingpoint.com: "Re: Re: location of an IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
