Travis,
My company recently evaluated a couple of IDS/IDP(etc) products, and decided
to implement the Netscreen IDP's.
We deployed them in multiple locations and have been quite happy.
During testing, I ran various tests against the IDP's and a few other
vendors products. In particular, I used Nessus as a typical baseline.
An example test was to place my collection of desktops and non-production
servers behind an IDP-100 in bridge mode. I then enabled the IDP to drop
packets (I also experimented with sending RST's as appropriate) and went
about normal use for a week or so. No problems (and this was dropping all
critical and "high" importance attacks) were experienced by myself or others
using the servers.
Then, I ran Nessus against the servers without the IDP dropping packets, and
with it dropping packets (attacks). In the first case (no blocking) given
that I had set things up intentionally insecure, Nessus found ~75
vulnerabilities. Then I turned packet/attack dropping on and re-ran the test.
That test revealed something like 8 "vulnerabilities" which were all of the
vaguest sort- "Your running a webserver/ftp server", "You have IIS running,
thats bad!" etc. No real attacks.
I know that Nessus and other scanners don't by any means include the universe
of attacks- but it was a decent baseline in my view. A comparison to a
major routing vendors IDS that we tested was favorable to Netscreen. While
both systems detected the attacks, when in "protect" mode, the major vendor
would issue shun/block commands to a firewall- Nessus found a number more
vulnerabilities in that case. A system that controls other systems has to
react to what it sees- that makes it hard, if not impossible, to catch that
first packet. There are plenty of single-packet vulnerabilities out there.
The logging is excellent, the gui is very nice, and the attack database
was better than other products I had seen (handy links to Bugtraq/CVE
id's).
As a customer, support has been fast and effective- and yes, there have been
issues that required support. If you aren't a UNIX person, these may be
more significant. To me, they were more "duh, I should have known that"
issues. Updates are every Thursday (and emergencies) and seem to be
informative.
We run a lot of protocols on non-standard ports, and can charachterize
inoccent traffic fairly well in certain areas. The ability to apply signatures
to non-standard ports, and to write custom signatures is significant.
Perhaps the most useful feature I found was the highly context
sensitive signatures- I can write signatures that check for a particular
string in an ftp username for example. Since the rules are ordered, and
can be terminal or non-terminal, that makes it possible to alarm on any
userid except for a specific one (just an example, we don't do this).
All in all, the product was good, and the support has been great. I value
the sales/SE experience and find that it frequently corelates with how
seriously a company will support you. Other than the dearth of swag,
the Netscreen SE and reseller were excellent. I suspect you would get
the same SE given your location.
So, yes, we're quite happy with it, both in testing and in production.
--D
On Mon, Sep 29, 2003 at 12:55:47PM -0700, travis.alexander_at_lacamas.org wrote:
> Has anyone had any personal experience with the NetScreen IDP products? Does
> it live up the hype that is stated on their website? Does it truly work that
> way they say? Thanks in advance for replies.
>
> Travis Alexander
> Network Administrator
> Lacamas Community Credit Union
> 360-834-3611
> http://www.lacamas.org
>
> -----Original Message-----
> From: JAVIER OTERO [mailto:jotero_at_SMARTEKH.com]
> Sent: Monday, September 29, 2003 9:02 AM
> To: Alvin Wong; focus-ids_at_securityfocus.com
> Subject: RE: Network hardware IPS
>
>
> Netscreen IDP is a good product, uses 8 mechanisms for detect, 3 models,
> small, medium and large, 3 active modes plu 1 passive (like IDS)
>
> Ing. Fco. Javier Otero De Alba
> Diplomado en Seguridad Inform?tica ITESM CEM
> Grupo Smartekh
> Antivirus Expertos
> Bussiness Continuity
> Inftegrity
> 5243-4782 al 84 Ext.300
> M?xico, D.F.
>
>
>
> -----Mensaje original-----
> De: Alvin Wong [mailto:alvin.wong_at_b2b.com.my]
> Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
> Para: focus-ids_at_securityfocus.com
> Asunto: Network hardware IPS
>
>
> Hi,
>
> I'm interested to find out if anyone can share their experiences or
> recommend a network hardware IPS that is deployed in front of the
> gateway which is able to detect attack signatures and at the same time,
> actively blocking out these attacks, alerting me in the process.
>
> This would be different from a passive IDS which depends on correlating
> the logs every time an alert pops up. An ideal solution would be to be
> able to detect the patterns and prevent them automatically, can a
> network IPS do this?
>
> I understand that it is possible in some IDS to do a TCP reset after one
> had confirmed that the connection is not acceptable, can anyone explain
> whether an IDS that can do this be actually "active" as opposed to
> passive?
>
> It would also be interesting if there could be some amount of trend
> analysis built in which can review the destination/source ip traffic
> over time, which can be used to identify particular boxes which are
> easily targeted, which would mean that more work needs to be done for
> that box.
>
> Regards,
> Alvin
>
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 02 2003
Intro
