Re: Network hardware IPS

[Darren Bolding <darren () faucet net>]

Travis,

My company recently evaluated a couple of IDS/IDP(etc) products, and decided
to implement the Netscreen IDP's. 

We deployed them in multiple locations and have been quite happy.  

During testing, I ran various tests against the IDP's and a few other
vendors products.  In particular, I used Nessus as a typical baseline.

An example test was to place my collection of desktops and non-production
servers behind an IDP-100 in bridge mode.  I then enabled the IDP to drop
packets (I also experimented with sending RST's as appropriate) and went
about normal use for a week or so.  No problems (and this was dropping all
critical and "high" importance attacks) were experienced by myself or others
using the servers.

Then, I ran Nessus against the servers without the IDP dropping packets, and
with it dropping packets (attacks).  In the first case (no blocking) given 
that I had set things up intentionally insecure, Nessus found ~75 
vulnerabilities.  Then I turned packet/attack dropping on and re-ran the test.

That test revealed something like 8 "vulnerabilities" which were all of the 
vaguest sort- "Your running a webserver/ftp server", "You have IIS running, 
thats bad!" etc.  No real attacks.  

I know that Nessus and other scanners don't by any means include the universe
of attacks- but it was a decent baseline in my view.  A comparison to a
major routing vendors IDS that we tested was favorable to Netscreen.  While
both systems detected the attacks, when in "protect" mode, the major vendor
would issue shun/block commands to a firewall- Nessus found a number more
vulnerabilities in that case.  A system that controls other systems has to
react to what it sees- that makes it hard, if not impossible, to catch that
first packet.  There are plenty of single-packet vulnerabilities out there.

The logging is excellent, the gui is very nice, and the attack database 
was better than other products I had seen (handy links to Bugtraq/CVE
id's).

As a customer, support has been fast and effective- and yes, there have been
issues that required support.  If you aren't a UNIX person, these may be
more significant.  To me, they were more "duh, I should have known that"
issues.  Updates are every Thursday (and emergencies) and seem to be 
informative.

We run a lot of protocols on non-standard ports, and can charachterize 
inoccent traffic fairly well in certain areas.  The ability to apply signatures
to non-standard ports, and to write custom signatures is significant. 


Perhaps the most useful feature I found was the highly context 
sensitive signatures- I can write signatures that check for a particular 
string in an ftp username for example.  Since the rules are ordered, and 
can be terminal or non-terminal, that makes it possible to alarm on any
userid except for a specific one (just an example, we don't do this).

All in all, the product was good, and the support has been great.  I value
the sales/SE experience and find that it frequently corelates with how
seriously a company will support you.  Other than the dearth of swag,
the Netscreen SE and reseller were excellent.  I suspect you would get
the same SE given your location.

So, yes, we're quite happy with it, both in testing and in production.

--D



On Mon, Sep 29, 2003 at 12:55:47PM -0700, travis.alexander () lacamas org wrote:
> Has anyone had any personal experience with the NetScreen IDP products? Does
> it live up the hype that is stated on their website? Does it truly work that
> way they say? Thanks in advance for replies.
>
> Travis Alexander
> Network Administrator
> Lacamas Community Credit Union
> 360-834-3611
> http://www.lacamas.org
>
> -----Original Message-----
> From: JAVIER OTERO [mailto:jotero () SMARTEKH com]
> Sent: Monday, September 29, 2003 9:02 AM
> To: Alvin Wong; focus-ids () securityfocus com
> Subject: RE: Network hardware IPS
>
>
> Netscreen IDP is a good product, uses 8 mechanisms for detect, 3 models,
> small, medium and large, 3 active modes plu 1 passive (like IDS)
>
> Ing. Fco. Javier Otero De Alba 
> Diplomado en Seguridad Inform?tica ITESM CEM 
> Grupo Smartekh 
> Antivirus Expertos 
> Bussiness Continuity 
> Inftegrity 
> 5243-4782 al 84 Ext.300
> M?xico, D.F. 
>
>
>
> -----Mensaje original-----
> De: Alvin Wong [mailto:alvin.wong () b2b com my]
> Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
> Para: focus-ids () securityfocus com
> Asunto: Network hardware IPS
>
>
> Hi,
>
> I'm interested to find out if anyone can share their experiences or
> recommend a network hardware IPS that is deployed in front of the
> gateway which is able to detect attack signatures and at the same time,
> actively blocking out these attacks, alerting me in the process. 
>
> This would be different from a passive IDS which depends on correlating
> the logs every time an alert pops up. An ideal solution would be to be
> able to detect the patterns and prevent them automatically, can a
> network IPS do this?
>
> I understand that it is possible in some IDS to do a TCP reset after one
> had confirmed that the connection is not acceptable, can anyone explain
> whether an IDS that can do this be actually "active" as opposed to
> passive?
>
> It would also be interesting if there could be some amount of trend
> analysis built in which can review the destination/source ip traffic
> over time, which can be used to identify particular boxes which are
> easily targeted, which would mean that more work needs to be done for
> that box.
>
> Regards,
> Alvin
>
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to: 
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to: 
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------