IDS mailing list archives

RE: NIPS Vendors explicit answer

From: "Bob Walder" <bwalder () spamcop net>
Date: Sun, 2 May 2004 13:19:52 +0200

Whilst I appreciate Brian pointing you to the paid-for report ;o) I
should point out that most of the report is available to view on-line
for free at www.nss.co.uk/ips

Only the actual performance test results are unavailable on-line - for
those you need the PDF version.

Regards,

Bob Walder
Director
The NSS Group

-----Original Message-----
From: Brian Smith [mailto:bsmith () tippingpoint com] 
Sent: 02 May 2004 03:37
To: Melih Kirkgöz (Koç.net)
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer

Disclaimer first: I work for a vendor (TippingPoint).  That 
being said, I've spent the last couple of years developing 
testing methodologies for IPSs, so I have at least some 
strong opinions :-).  You should look at the NSS test results:

http://www.nss.co.uk/acatalog/Intrusion_Prevention_Systems__IPS_.html

To date, this is the only comprehensive independent IPS test 
that's been done that I'm aware of.  The report's $75 to buy 
and a bargain at that. The purchased report includes the 
test results, which you'll want.

You probably won't be able to fully replicate the NSS test 
suite (it took a year to develop and two weeks per vendor to 
run), but a couple of things to check when evaluating these 
products, especially those that didn't go through NSS 
(Radware is the only one on your short list).

1) Make sure the product continues to block attacks when simple,
off-the-shelf evasion techniques are employed.   Some easy to try
tools that the hackers all use are fragroute and whisker

     http://monkey.org/~dugsong/fragroute/
     http://www.wiretrip.net/rfp/

The techniques these tools employ are documented at

     http://www.insecure.org/stf/secnet_ids/secnet_ids.html
     http://www.wiretrip.net/rfp/txt/whiskerids.html

2) Test the IPS like you would any other network element 
(switch, router, etc).  Measure latency and throughput with 
different packet sizes and different protocol mixes.  It's 
generally a good idea to test the extremes (all 64 byte 
packets, all UDP traffic, all ICMP traffic, fragmented 
traffic, out-of-order TCP traffic, etc) to see how the IPS 
fairs.  Not that you're likely too see all 64 byte packets 
or all fragmented traffic in a real network, but it'll give 
you an idea the performance limits of each IPS.

3) Also make sure that the performance is acceptable by 
testing the device inline in *your* network.  Try some 
simple performance tests (copying files, compiling, ping to 
measure latency, etc) with and without the IPS to see its 
effect on performance.  If the IPS slows your network to a 
crawl, that's usually a non-starter.

4) Ask the vendor to explain how their process for releasing 
updates to the product to protect against new attacks, and 
how many of their filters protect against recent attacks.  
As a rule, blocking attacks from 5 years ago isn't as 
important as blocking attacks from the last couple of 
months, since you've probably already patched the systems 
against the older attacks.  Detecting old attacks is more of 
an IDS function that an IPS function.

5) Think about how the product would work in your 
environment in a worm storm, or other worst-case scenarios.  
If the management network is virtually down, can you still 
configure the box to block the attack that's bringing it 
down?  How does HA for the device work?  Does it fail open, 
closed, or is it configurable?

Hope this helps!

     Brian

-----Original Message-----
From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net]
Sent: Wednesday, April 28, 2004 10:00 AM
To: Rob Shein; Frank Knobbe; Vikram Phatak
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer
Importance: High

Hello Everyone,

I am responsible for testing and offering an IPS solution 
for big networks with high rated throughputs for my 
company(an ISP) and our customers. As i read these mails 
flowing around,i said "yes this is the right place to share 
my opinions". I would rather ask a question outside the 
theory about IDS-IPS comparision.Right now i am more 
interested in product comparision becaues of my urgent duty

I had the chance to test Radware Defense Pro only as ab 
inline - IPS product. It seems to be very fast responsive 
and successfull blocker against DDOS attacks,Synfloods and 
typical worms and detecting Protocol Anomalies. The other 
vendors waiting for my tests:) are Netscreen IDP,RealSecure 
ISS Proventia G200 and Network Associates NAI Intruvert 2600 
series. Does any of you know about these products,especially 
in a competitive way between them? I would appreciate your answers

Regards

Melih Kirkgöz  
Network Security Services 
Koç.net Haberlesme Teknolojileri ve Iletisim Hizmetleri
Camlica Is Merkezi B3 Blok Uskudar 81190 
Istanbul -TURKEY 
email: melihk () koc net 
URL :http://www.koc.net 

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Tuesday, April 27, 2004 6:39 PM
To: 'Frank Knobbe'; 'Vikram Phatak'
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer

I can answer this fairly easily.  Bruce Schneier, among 
other people, has been pointing out that the real measure of 
security is how gracefully it fails.  In many large 
environments (like where I am right now) there can be 
confusion as to who is responsible for which system; the 
system in question may go unpatched as a result.  When 
there's an IPS on top of everything, it makes a big 
difference, because now you have another layer of defense to 
protect it.  At some point, someone is bound to notice that 
the system isn't patched, but at least it won't be because 
of some 1337 d00d tearing it up. For a public-facing service 
this is an entire second layer of protection, where before 
there was only one.

I'd also think that any environment that could tackle the 
implementation of an IPS correctly would already have 
patching fairly well in hand.  And I doubt they'd stop 
patching at that point, anyways.

Oh, and I second the request for an IPS list.  Good idea, Frank!

-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us]
Sent: Monday, April 26, 2004 8:04 PM
To: Vikram Phatak
Cc: focus-ids () securityfocus com
Subject: Re: NIPS Vendors explicit answer


<snip>



True. It seems I was focusing on the detection part, not the
prevention part. A product that shields existing 
vulnerabilities from a network does have merit.

I think I just question why we need the product. It appears
that it would allows us to be more complacent with our 
networks. Why patch the system when the IPS shields it? There 
seem to be two sides to the IPS-shielding-the-network 
approach. I can see where it is useful (especially when 
running Microsoft products, the latest SSL issue being the 
perfect example). But at the same time it is only a band-aid 
until the hosts are patched. Shouldn't we focus our 
preventative efforts on the hosts?

(not dispelling IPS, but we should use it as a substitute for
securing systems).


<snip snip>


-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------


-----Original Message-----
From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net]
Sent: Wednesday, April 28, 2004 10:00 AM
To: Rob Shein; Frank Knobbe; Vikram Phatak
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer
Importance: High


Hello Everyone,

I am responsible for testing and offering an IPS solution 
for big networks with high rated throughputs for my 
company(an ISP) and our customers. As i read these mails 
flowing around,i said "yes this is the right place to share 
my opinions". I would rather ask a question outside the 
theory about IDS-IPS comparision.Right now i am more 
interested in product comparision becaues of my urgent duty

I had the chance to test Radware Defense Pro only as ab 
inline - IPS product. It seems to be very fast responsive 
and successfull blocker against DDOS attacks,Synfloods and 
typical worms and detecting Protocol Anomalies. The other 
vendors waiting for my tests:) are Netscreen IDP,RealSecure 
ISS Proventia G200 and Network Associates NAI Intruvert 2600 
series. Does any of you know about these products,especially 
in a competitive way between them? I would appreciate your answers

Regards

Melih Kirkgöz  
Network Security Services 
Koç.net Haberlesme Teknolojileri ve Iletisim Hizmetleri
Camlica Is Merkezi B3 Blok Uskudar 81190 
Istanbul -TURKEY 
email: melihk () koc net 
URL :http://www.koc.net 


-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Tuesday, April 27, 2004 6:39 PM
To: 'Frank Knobbe'; 'Vikram Phatak'
Cc: focus-ids () securityfocus com
Subject: RE: NIPS Vendors explicit answer


I can answer this fairly easily.  Bruce Schneier, among 
other people, has been pointing out that the real measure of 
security is how gracefully it fails.  In many large 
environments (like where I am right now) there can be 
confusion as to who is responsible for which system; the 
system in question may go unpatched as a result.  When 
there's an IPS on top of everything, it makes a big 
difference, because now you have another layer of defense to 
protect it.  At some point, someone is bound to notice that 
the system isn't patched, but at least it won't be because 
of some 1337 d00d tearing it up. For a public-facing service 
this is an entire second layer of protection, where before 
there was only one.

I'd also think that any environment that could tackle the 
implementation of an IPS correctly would already have 
patching fairly well in hand.  And I doubt they'd stop 
patching at that point, anyways.

Oh, and I second the request for an IPS list.  Good idea, Frank!

-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us]
Sent: Monday, April 26, 2004 8:04 PM
To: Vikram Phatak
Cc: focus-ids () securityfocus com
Subject: Re: NIPS Vendors explicit answer


<snip>



True. It seems I was focusing on the detection part, not the
prevention part. A product that shields existing 
vulnerabilities from a network does have merit.

I think I just question why we need the product. It appears
that it would allows us to be more complacent with our 
networks. Why patch the system when the IPS shields it? There 
seem to be two sides to the IPS-shielding-the-network 
approach. I can see where it is useful (especially when 
running Microsoft products, the latest SSL issue being the 
perfect example). But at the same time it is only a band-aid 
until the hosts are patched. Shouldn't we focus our 
preventative efforts on the hosts?

(not dispelling IPS, but we should use it as a substitute for
securing systems).


<snip snip>


-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------


-------------------------------------------------------------
--------------

-------------------------------------------------------------
--------------




---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

RE: NIPS Vendors explicit answer Jason Haar (May 01)
- RE: NIPS Vendors explicit answer Frank Knobbe (May 02)
- <Possible follow-ups>
- RE: NIPS Vendors explicit answer Brian Smith (May 01)
- RE: NIPS Vendors explicit answer Bob Walder (May 02)