Educause Security Discussion
mailing list archives
Re: IPS recommendations
From: Bob Williamson <bob_williamson () AW ORG>
Date: Fri, 9 Nov 2012 22:08:32 -0800
Interesting to note that Palo Alto just recently released PANOS5. In the help file it mentions a new series of
firewalls distributed as an OVF for use with vSphere.
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org<http://www.aw.org/>
D: 253.272.2216 | F: 253.572.3616 | Bob_Williamson () aw org
Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and
responsible citizens for a global society.
Find Annie Wright Schools on Facebook<http://www.facebook.com/anniewrightschools>
Follow our Head of Schools on Twitter @AWShead<http://www.twitter.com/awshead>
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell
Sent: Friday, November 09, 2012 4:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IPS recommendations
A decade ago (more or less) we had a Cisco PIX firewall. It had some IDS/IPS at the time, targeted at some of the
threats of the time. It did some things very well, but did not scale.
We had our first Cisco ASA firewalls right after their introduction. They scaled much better than the PIX. We also
got the AIP-SSM IPS modules for them. They were excellent at the time, directed at the threats at the time. It did
more things very well, but we're starting to approach it's scale of bandwidth. The IPS modules were catching less and
less (and subsequent things behind them picking up more and more), so I put them in bypass mode over the summer as they
were a bottleneck running inline.
We have been doing Snort in IDS mode (passive) for some time. It does some things very well. (Detecting a pattern
here?) It might could do some more things well if we could afford the official commercial appliance offerings with the
full Sourcefire enhancements, but as with most NextGeneration FireWall or Unified Threat Management solutions, it gets
a little difficult separating the wheat from the chaff in the marketing claims.
We added a TippingPoint appliance a couple of years ago. It could implement blocking inline what Snort was telling us
after the fact. We also have an N-series appliance which supports the reputation database, a feature which scales to
incredible heights that we could not get out of other approaches. It does some things very well.
We also have a Procera. It can do some blocking (it can nail individual URLs), and does some things very well. But it
doesn't scale up well on that particular feature.
I'm not sure there is a 100% cure-all box you can simply plug in and everyone lives happily ever after. We have tried
to combine best-of-breed and get the cumulative benefits of each, and at the same time we can avoid their individual
weaknesses and redirect them at something better suited for the job.
And the more eggs you put into one basket, it appears the more expensive it is per megabit of traffic. If you budget
scales up to that, it's an option too.
Just another opinion :)
On 11/9/2012 6:26 PM, King, Ronald A. wrote:
We too have TippingPoint EOL equipment. We purchased two Palo Alto firewalls and are very happy with them. In fact,
they caught a bug today that triggered further investigation. Thanks to them, it was easy to ID the host with user ID
that was attacking our server. We had not considered them as an alternative to TippingPoint, but, with this
conversation and recent events, well, let's just say we are now open to the idea that we may already have our
Note: The PAN firewalls are Next Gen (NG). I have learned that they aren't the standard definition of a firewall. The
recommended way to create rules is based on the application rather than port. The bug I mentioned earlier was over
port 80, generally allowed for your internal hosts to talk out to port 80, but, much like an IPS, it triggered on a
Trojan filter. We have a rule set for one of our web servers to only allow applications "web-browsing" and
"web-crawler" from the Internet. With the ASAs we are moving from, we allowed anything on port 80.
Norfolk State University
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of
Sent: Thursday, November 08, 2012 2:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] IPS recommendations
Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping
Point unit. I was looking to see what everyone else is using and how well it is working for them.
University of Redlands