Educause Security Discussion
mailing list archives
Re: IPS recommendations
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Fri, 9 Nov 2012 19:55:10 -0500
A decade ago (more or less) we had a Cisco PIX firewall. It had some
IDS/IPS at the time, targeted at some of the threats of the time. It
did some things very well, but did not scale.
We had our first Cisco ASA firewalls right after their introduction.
They scaled much better than the PIX. We also got the AIP-SSM IPS
modules for them. They were excellent at the time, directed at the
threats at the time. It did more things very well, but we're starting
to approach it's scale of bandwidth. The IPS modules were catching less
and less (and subsequent things behind them picking up more and more),
so I put them in bypass mode over the summer as they were a bottleneck
We have been doing Snort in IDS mode (passive) for some time. It does
some things very well. (Detecting a pattern here?) It might could do
some more things well if we could afford the official commercial
appliance offerings with the full Sourcefire enhancements, but as with
most NextGeneration FireWall or Unified Threat Management solutions, it
gets a little difficult separating the wheat from the chaff in the
We added a TippingPoint appliance a couple of years ago. It could
implement blocking inline what Snort was telling us after the fact. We
also have an N-series appliance which supports the reputation database,
a feature which scales to incredible heights that we could not get out
of other approaches. It does some things very well.
We also have a Procera. It can do some blocking (it can nail individual
URLs), and does some things very well. But it doesn't scale up well on
that particular feature.
I'm not sure there is a 100% cure-all box you can simply plug in and
everyone lives happily ever after. We have tried to combine
best-of-breed and get the cumulative benefits of each, and at the same
time we can avoid their individual weaknesses and redirect them at
something better suited for the job.
And the more eggs you put into one basket, it appears the more expensive
it is per megabit of traffic. If you budget scales up to that, it's an
Just another opinion :)
On 11/9/2012 6:26 PM, King, Ronald A. wrote:
We too have TippingPoint EOL equipment. We purchased two Palo Alto
firewalls and are very happy with them. In fact, they caught a bug
today that triggered further investigation. Thanks to them, it was
easy to ID the host with user ID that was attacking our server. We
had not considered them as an alternative to TippingPoint, but, with
this conversation and recent events, well, let's just say we are now
open to the idea that we may already have our replacement.
Note: The PAN firewalls are Next Gen (NG). I have learned that they
aren't the standard definition of a firewall. The recommended way to
create rules is based on the application rather than port. The bug I
mentioned earlier was over port 80, generally allowed for your
internal hosts to talk out to port 80, but, much like an IPS, it
triggered on a Trojan filter. We have a rule set for one of our web
servers to only allow applications "web-browsing" and "web-crawler"
from the Internet. With the ASAs we are moving from, we allowed
anything on port 80.
/Norfolk State University/
*From:*The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Entwistle, Bruce
*Sent:* Thursday, November 08, 2012 2:27 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] IPS recommendations
Our current IPS is reaching EOS, so we would take this opportunity to
look at alternatives to our existing Tipping Point unit. I was
looking to see what everyone else is using and how well it is working
University of Redlands