Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: IPS Reliability/Availability

Re: IPS Reliability/Availability

From: FinAckSyn <finacksyn_at_yahoo.co.uk>
Date: Fri, 3 Feb 2006 13:14:48 +0000 (GMT)

Hi Mike,

The first question you must ask yourself is whether or
not you are prepared to put a PC-based solution inline
in your network?
So bypass switches may solve reliability issues, but
why bother going to all that trouble with bypass
switches and load balanced clusters when there are
some excellent dedicated, ASIC-based IPS solutions
available. TippingPoint, McAfee and TopLayer are the
biggest players in this space, and should be on any
shortlist.
As for real world experience, I have never had ANY
reliability or performance issues with TopLayer, whom
even go one step further as to include separate
management and event logging processors to ensure that
GUI access, SYSLOG/SNMP functions are 100% available
no matter what the network load.
If you're in a core network, be very careful with
signature based products. TippingPoint and McAfee are
heavily reliant on Snort signatures, which although
may do a good job on the perimeter at defending known
attacks, open a whole can of false positives when used
on internal networks. I've had big problems tuning
both TippingPoint and McAfee devices, and felt most
uncomfortable having to disable vast portions of their
signature sets to get them running at acceptable
speeds. This is even worse on a core network, as
you're dealing with far higher speeds.

Rgds,

Matt

--- geek_brigades_at_yahoo.com wrote:

> I am working on a big IPS project and I am very
> concerned about installing an inline device in a
> core enterprise network, where these devices have
> the potential to create big time network outages.
>
> Can you, please, share your possible bad experiences
> about the reliability of the following inline IPS
> products:
>
> ISS
> TippingPoint
> Juniper IPS
> Sourcefire
> McAfee IntruShield
>
> Have you had any issues with the availability of
> these devices, such as fail close crashes or do you
> have any experience with bypass switches that would
> mitigate the availability issue?
>
> Thanks,
> Mike
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
>
------------------------------------------------------------------------
>
>

                
___________________________________________________________
How much free photo storage do you get? Store your holiday
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Feb 07 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos