--On Wednesday, July 29, 2009 12:25:16 +0000 Hurgel Bumpf
<[email protected]> wrote:
Hi List,
i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
I had some bad experience with Tippingpoint UnityOne 2400 field test. The
device dropped to much sessions until all connectivity was lost. After that
no investigation was not possible as TP logs all attack information with IP
address 0.0.0.0
If this is true, the box was incorrectly sized for your traffic. We've had TP
inline for years and have never lost packets or connectivity. It *is* possible
to overload the device if you try to log absolutely everything and enable every
filter on the box.
The vendor excused this with the layered technology and passing the IP
address from the hardware to the logger would lead to delayed packages)
What vendor? Tippingpoint? Or a var? Whoever it was, it sounds like they
don't know what they're doing.
Not sure what you mean by this statement, but any device can be DoS'd by
excessive logging or by enabling every single rule the box is capable of
parsing.
This is unacceptable.
i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network
Security 4050 appliance.
Who has a good/bad experience with that devices? Is it true that all devices
don't log ip adresses?
I can't imagine an IPS that wouldn't log IP addresses. That's the entire point
of the device, isn't it? TP certainly does.
It seems there's more to this story than you are giving us.
My dream appliance would be able to run like in a 7 day learning mode which
counts max new sessions per second, max sessions per client aso. After this 7
days it creates a filter with +x% of the learned values and sets these limits
active.
A big problem is that i have to install it into the productive system to get
the real values. I dont have any fixed values regarding the new sessions per
second and i cant just guess and set values and render the system offline.
All information is highly appreciated!
My first suggestion would be, don't put a demo/eval IPS inline. Put it in
listening mode, watch the traffic and figure out what's going on with your
network without taking it down. Had you done this with the 2400, you would
have realized it was undersized without creating a disaster scenario.
I don't really care what you purchase, but please do Cisco and McAfee a favor.
Don't put their devices inline while your doing your evaluation. Use them like
an IDS, enable whatever you want and let the box tell you what it *would* have
done had you placed it inline.
Once you've found whatever it is you're looking for, you should be able to put
it inline with a high degree of confidence that it will perform as expected.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.
-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by giving
your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
