IDS: Re: CISCOs new IPS

[p z <peterzulu () gmail com>]

key things to consider:

- increased packet latency through the IPS.  this is worsened as you
increase the number of things you detect and/or block
- careful of false positives, so only block the minimum number of
exploits (around 30 or so out of the entire base of things seem to
operate.)
- power redundancy and network failover are other considerations.
- failure to detect at high packet rates or high mbps rates.  you have
to stress test this yourself and use your peak average network stats
as the baseline for packet rates and mbps rates.  some ips systems
stop detecting attacks at higher packet and bandwidth rates.

peter


On Wed, 15 Dec 2004 07:31:42 +0100, Christoph Pertl (tm011081)
<tm011081 () fh-stpoelten ac at> wrote:
> Hi,
>
> I'm right now in the middle of a Project with the goal to implement an IPS
> in an existing infrastructure. One of our possible Partners offers us the
> new IPS Product from Cisco.
>
> Does anyone of you now something about this machine or at least about the
> older IDS-Box because I think the Inspection Engine will be the same?
>
> Any Information about how well it performs in a real environment would be
> great
>
> Christoph
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------