recommendations regarding IPS

Hegger_Stefan · March 31, 2006, 1:35pm

Hi,

hope not bothering you but I'm looking for some experiences with IPS
systems. There are several vendors but is there a recommandation or some
tests? As Service provider we need a system which handles the scanning
in hardware and it should work as a layer2 bridge (no IP).

Stefan

Rob_Seastrom2 · March 31, 2006, 1:50pm

"Hegger, Stefan" <Stefan.Hegger@lycos-europe.com> writes:

hope not bothering you but I'm looking for some experiences with IPS
systems. There are several vendors but is there a recommandation or some
tests? As Service provider we need a system which handles the scanning
in hardware and it should work as a layer2 bridge (no IP).

what speed, what problem are you trying to solve, and what do you mean
by "in hardware"? no fpgas?

---rob

Hegger_Stefan · March 31, 2006, 2:16pm

Hi

"Hegger, Stefan" <Stefan.Hegger@lycos-europe.com> writes:

> hope not bothering you but I'm looking for some experiences with IPS
> systems. There are several vendors but is there a recommandation or some
> tests? As Service provider we need a system which handles the scanning
> in hardware and it should work as a layer2 bridge (no IP).

what speed, what problem are you trying to solve, and what do you mean
by "in hardware"? no fpgas?

We have a 2 Gbps connection with about about 200kpps in- and outgoing
traffic, and I don't want to pipe the traffic through software, fpgas
are ok.
Our problems are DDoS and we want to have a stateful packet inspection.
The system should not be "static" there should be something like anomaly
detection. It should report if there is "strange" traffic. And of course
the normal stuff as Intrusion detection (worms, botnets etc.)

Stefan

Edward_W_Ray · March 31, 2006, 10:33pm

Tipping Point IPS is the gold standard these days. Signature-based, which
annual fee to get the signatures. Signatures are usually weekly at a
minimum. I use the Unity 50, but they do have Gbps IPS. All of their IPSes
are "bump-in-the-wire" which means that you do not have to assign an address
(operates at layer2 instead of layer 3).

Edward W. Ray
CISSP, MCSE+Security, P.E., SANS GCIA Gold, SANS GCIH Gold
President
NetSec Design & Consulting
http://www.netsecdesign.com
(714) 997-9226

Valdis_Kletnieks · April 1, 2006, 2:11am

What actual *problem* are you trying to solve by installing an IPS? Note
that simple traffic graphs are usually enough to spot a DDoS - and if the
attacker is clever enough, the packets will *look* sane enough to pass the
IPS's muster and not be flagged.

Remember that in most cases, a packet flagged by an IPS falls into one of
several categories:

1) False positive. You just nuked a legitimate connection. Whoops.

2) A packet that wouldn't have done anything anyhow because you've already patched
the vulnerability. Who cares?

3) The very rare packet that exploits a vulnerability you haven't been able
to harden the target against yet. At this point, the IPS is being used as
a crutch to cover up the fact you haven't hardened the target box (and yes,
I'm fully aware of "but its runnning MobyFooBar that isn't certified on any
release of the OS later than 1997" issues... doesn't change the fact that
you haven't hardened the box, does it?

4) A very important class of packets that the IPS does *NOT* alert on is
the one it doesn't match to a vulnerability template, either because it's
a 0-day you don't have a template for, or because the source of the packet
is inside your border (got any wireless? Anyplace a user connects a laptop?
Any machines that might have gotten whacked with spyware or other malware,
opening up an *outbound* connection that your IPS will likely pass as OK?)

And don't forget that the IPS is Yet Another Log To Read. Unless you're also
hiring more manpower to feed the beast and clean up after it, it's worse than
useless, as it's taking away from all the OTHER things you're already doing.

And of course, getting one to do anything reasonable about "malicious traffic
FOO carried over SSL/443" is a major technical challenge - which is why you're
likely to see malicious traffic buried under the SSL..

Gadi_Evron1 · April 1, 2006, 2:46am

Edward W. Ray wrote:

Tipping Point IPS is the gold standard these days. Signature-based, which
annual fee to get the signatures. Signatures are usually weekly at a
minimum. I use the Unity 50, but they do have Gbps IPS. All of their IPSes
are "bump-in-the-wire" which means that you do not have to assign an address
(operates at layer2 instead of layer 3).

Not to say anything about Edward, but this thread is going to be mostly full of commercial injections.

Except for one network I have been in charge with I have never found the need for any I[DP]S product and find them an almost complete waste of time and money.

Gadi.

Edward_W_Ray · April 1, 2006, 3:28am

Except for one network I have been in charge with I have
never found the need for any I[DP]S product and find them an
almost complete waste of time and money.

Agreed, they just for people to "feel" more secure. I use it because I got
one free for selling a bunch to customers who needed them to satisfy various
regulatory requirements. Other than SQL Slammer and the occasional HTTP PHP
exploit attempts, I rarely see anything of consequence.

Edward W. Ray
CISSP, MCSE+Security, P.E., SANS GCIA Gold, SANS GCIH Gold
President
NetSec Design & Consulting
http://www.netsecdesign.com
(714) 997-9226