Re: Network hardware IPS

["cheong frank" <chocobofrank () hotmail com>]

Dear all,

What about fortinet ? (http://www.fortinet.com/) which is a integrated IDP, Firewall and Antivirus appliance.

Also what about prelude IDS ? (http://www.prelude-ids.org/) it seems like a good product which quite a lot of ppl 
recommend with a good architecture.

Sorry as I don't fully understand what is it "inline" IDP and so I may not be right on recoomending the above product.

While I am also considering in deploying an IDS or IDP on our network and is also doing prelimiary stage evaluation. 
Glad if anyone point me to the right direction.

Frank

> From: Darren Bolding <darren () faucet net>
> To: travis.alexander () lacamas org
> CC: jotero () SMARTEKH com, alvin.wong () b2b com my,focus-ids () securityfocus com
> Subject: Re: Network  hardware IPS
> Date: Wed, 1 Oct 2003 22:21:50 +0000
>
> Travis,
>
> My company recently evaluated a couple of IDS/IDP(etc) products, and decided
> to implement the Netscreen IDP's.
>
> We deployed them in multiple locations and have been quite happy.
>
> During testing, I ran various tests against the IDP's and a few other
> vendors products.  In particular, I used Nessus as a typical baseline.
>
> An example test was to place my collection of desktops and non-production
> servers behind an IDP-100 in bridge mode.  I then enabled the IDP to drop
> packets (I also experimented with sending RST's as appropriate) and went
> about normal use for a week or so.  No problems (and this was dropping all
> critical and "high" importance attacks) were experienced by myself or others
> using the servers.
>
> Then, I ran Nessus against the servers without the IDP dropping packets, and
> with it dropping packets (attacks).  In the first case (no blocking) given
> that I had set things up intentionally insecure, Nessus found ~75
> vulnerabilities.  Then I turned packet/attack dropping on and re-ran the test.
>
> That test revealed something like 8 "vulnerabilities" which were all of the
> vaguest sort- "Your running a webserver/ftp server", "You have IIS running,
> thats bad!" etc.  No real attacks.
>
> I know that Nessus and other scanners don't by any means include the universe
> of attacks- but it was a decent baseline in my view.  A comparison to a
> major routing vendors IDS that we tested was favorable to Netscreen.  While
> both systems detected the attacks, when in "protect" mode, the major vendor
> would issue shun/block commands to a firewall- Nessus found a number more
> vulnerabilities in that case.  A system that controls other systems has to
> react to what it sees- that makes it hard, if not impossible, to catch that
> first packet.  There are plenty of single-packet vulnerabilities out there.
>
> The logging is excellent, the gui is very nice, and the attack database
> was better than other products I had seen (handy links to Bugtraq/CVE
> id's).
>
> As a customer, support has been fast and effective- and yes, there have been
> issues that required support.  If you aren't a UNIX person, these may be
> more significant.  To me, they were more "duh, I should have known that"
> issues.  Updates are every Thursday (and emergencies) and seem to be
> informative.
>
> We run a lot of protocols on non-standard ports, and can charachterize
> inoccent traffic fairly well in certain areas.  The ability to apply signatures
> to non-standard ports, and to write custom signatures is significant.
>
>
> Perhaps the most useful feature I found was the highly context
> sensitive signatures- I can write signatures that check for a particular
> string in an ftp username for example.  Since the rules are ordered, and
> can be terminal or non-terminal, that makes it possible to alarm on any
> userid except for a specific one (just an example, we don't do this).
>
> All in all, the product was good, and the support has been great.  I value
> the sales/SE experience and find that it frequently corelates with how
> seriously a company will support you.  Other than the dearth of swag,
> the Netscreen SE and reseller were excellent.  I suspect you would get
> the same SE given your location.
>
> So, yes, we're quite happy with it, both in testing and in production.
>
> --D
>
>
>
> On Mon, Sep 29, 2003 at 12:55:47PM -0700, travis.alexander () lacamas org wrote:
> > Has anyone had any personal experience with the NetScreen IDP products? Does
> > it live up the hype that is stated on their website? Does it truly work that
> > way they say? Thanks in advance for replies.
> >
> > Travis Alexander
> > Network Administrator
> > Lacamas Community Credit Union
> > 360-834-3611
> > http://www.lacamas.org
> >
> > -----Original Message-----
> > From: JAVIER OTERO [mailto:jotero () SMARTEKH com]
> > Sent: Monday, September 29, 2003 9:02 AM
> > To: Alvin Wong; focus-ids () securityfocus com
> > Subject: RE: Network hardware IPS
> >
> >
> > Netscreen IDP is a good product, uses 8 mechanisms for detect, 3 models,
> > small, medium and large, 3 active modes plu 1 passive (like IDS)
> >
> > Ing. Fco. Javier Otero De Alba
> > Diplomado en Seguridad Inform?tica ITESM CEM
> > Grupo Smartekh
> > Antivirus Expertos
> > Bussiness Continuity
> > Inftegrity
> > 5243-4782 al 84 Ext.300
> > M?xico, D.F.
> >
> >
> >
> > -----Mensaje original-----
> > De: Alvin Wong [mailto:alvin.wong () b2b com my]
> > Enviado el: Lunes, 29 de Septiembre de 2003 03:31 a.m.
> > Para: focus-ids () securityfocus com
> > Asunto: Network hardware IPS
> >
> >
> > Hi,
> >
> > I'm interested to find out if anyone can share their experiences or
> > recommend a network hardware IPS that is deployed in front of the
> > gateway which is able to detect attack signatures and at the same time,
> > actively blocking out these attacks, alerting me in the process.
> >
> > This would be different from a passive IDS which depends on correlating
> > the logs every time an alert pops up. An ideal solution would be to be
> > able to detect the patterns and prevent them automatically, can a
> > network IPS do this?
> >
> > I understand that it is possible in some IDS to do a TCP reset after one
> > had confirmed that the connection is not acceptable, can anyone explain
> > whether an IDS that can do this be actually "active" as opposed to
> > passive?
> >
> > It would also be interesting if there could be some amount of trend
> > analysis built in which can review the destination/source ip traffic
> > over time, which can be used to identify particular boxes which are
> > easily targeted, which would mean that more work needs to be done for
> > that box.
> >
> > Regards,
> > Alvin
> >
> >
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> >  - Automatically Control P2P, IM and Spam Traffic
> >  - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> >  - Automatically Control P2P, IM and Spam Traffic
> >  - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >
> > ---------------------------------------------------------------------------
> > Captus Networks IPS 4000
> > Intrusion Prevention and Traffic Shaping Technology to:
> >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> >  - Automatically Control P2P, IM and Spam Traffic
> >  - Precisely Define and Implement Network Security & Performance Policies
> > FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> > http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> > ---------------------------------------------------------------------------
> >
>
> ---------------------------------------------------------------------------
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> ---------------------------------------------------------------------------

_________________________________________________________________
Hotmail Extra Storage讓你獲得10MB 額外儲存空間，請即申請！ http://join.msn.com/?pgmarket=zh-hk 


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------