Re: IPS/IDS location suggestions in Network.



Hi.

For a pity I do not have an experience in implementing IPS on 10g links,
however I've been researching IBM appliances (ISS+Proventia). In practice
they can not do the deep inspection by signature patterns in protocols
which is higher
than transport layer (i.e. checking for an exploit code) at even
several G speed. Not sure if they just skip checks for packets or it
will became a bottleneck in case you try to force all packets to be
checked. You should talk with IBM specialists what set of features
will be available on that speed.

2008/3/14, Albert R. Campa <abcampa@xxxxxxxxx>:
ttp://uploader.futbolmex.net/files/1/network.JPG


See link for Network design, design for redundancy and speed.

these boxes are routers and links are 10gb.

different network segements will be hanging off of the 4 routers at
the bottom.

There will be an IPS higher up in the mix between the 2 top routers
and the internets as well as other stuff.

Main corporate network will be hanging off each of the 4 bottom switches.

So the goal is to monitor internal traffic between 4 network segments.

Idea of Cisco module IDS in the 2 top routers is scratched.

So what about in-line IPS on each of the links between the 4 routers
and the 2?
ISS has the GX6116 that runs at 6gb in filtering mode, 15gb non
filtering, hehe.
Sourcefire just sent me an email about their 10gb solution, but I dont
know if it has as many ports as the ISS box.

Is this even a good location for an inline IPS? It seems like the only
place other than the boarder where I can get any concentrated traffic,
but at the border I cant get internal traffic.

Any suggestions?

Saludos

Albert

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------




--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: [Full-disclosure] =?utf-8?q?is_my_ISP_lying_or_stupid=3F?=
    ... The routers of an ISP are sorta DHCP in the sense that the IPs are ... dynamic- DHCP really works as one network whereas an ISP switch will ... That way they won't have to waste 4 IPs for every customer. ...
    (Full-Disclosure)
  • Re: doc question on private network IP allocation
    ... LAN network, I got some advice about how I should alloc the numbers. ... (e.g. sending traffic to that IP will be sent to all IPs on the LAN), ... gateway, but it's purely customary. ... routers became commonplace, it was customary for the first computer on ...
    (Fedora)
  • Re: IPS, alternative solutions
    ... I have the impression that some of the alternatives to IPS you mentioned ... Parts of the market have matured (network ... implementations (in-line protocol decoding and blocking/active response ... an often deployed technology at this time is ...
    (Focus-IDS)
  • RE: ASIC Based IPS
    ... IPS performs on each network stream can be done in parallel, ... There are 2 ways to achieve parallelism: ... The benefits of speed come about when you start using ASICs in parallel ...
    (Focus-IDS)
  • NADS ( was RE: IPS comparison)
    ... One thing that does bother me is how IPS has been ... great at the perimeter or other "choke points" in the network. ... NADS gives much of the value of traditional network ... that detection by itself is just not enough. ...
    (Focus-IDS)