@Dave, I am glad that you are revealing that you work for Sourcefire. Based on my experience with various IPS products, I strongly feel that there is no absolute right or wrong choice, it is matter of what you are trying to protect and what are my existing security measures/products and my risk appetite and most importantly network architecture. Now I refuse to believe that all the network assets are equally important and best way to provide the protection is to place IPS in the network where it is needed the most. If you end up with conclusion that all the network must have IPS then still you can get more boxes and install it per network...Just a thought.
Finally its not IPS but people managing IPS are most critical part . Its not the product but people that will make the difference to your security.So instead of product i would invest in providing more training to my security staff than investing in expensive product. Just to prove my point try Fragroute and run different attack on Sun, Linux and Windows boxes behind IPS and you will know what I am talking about . This tool was written by DugSong based on the paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas and Timothy. And some of the problems identified in this paper are very limitation of NIDS of not knowing the host OS and hence cannot accurately judge what will be the final behavior at the host of the given set of packets in the conditions like overlapping fragments and ttl =1 for one of the packets, out of order arrival to name a few. Since Linux and Windows behaves differently the way it handles the overlapping fragments and hence there is no easy way to handle this in NIDS. To summarize, you need following, 1. Good assessment of the protection you require and risk appetite. (Risk Reward ratio) 2. Excellent security staff 3. Ability to discard marketing of NSS, Gartner, and Forresters of the world. These are just marketing tool for the companies ! 4. Finally a product that can fit and provide the benefits you want or need , not benefits that they list. Hope this helps, Regards, Vijay Upadhyaya BS-7799 Lead Auditor CISA CISSP CSGA Nortel ASF Training Certification > On Thu, Jul 15, 2010 at 12:16 AM, Dave Venman <[email protected]> wrote: >> >> <disclaimer> I work for Sourcefire </disclaimer> but I'll try to keep >> this vendor-neutral >> >> There are lots of boxes now which can, or claim they can, perform >> 10Gbps or more inspection. >> >> Some of that is marketing fluff, some of it is the real McCoy. >> >> If you have a need for 10Gbps inspection or higher then you really >> need to do your homework because the boxes you pay for go for lots of >> money. If you spend all that money on a solution which doesn't do IPS >> properly or only do IPS properly well below the expected / rated / >> claimed throughput - and I accept there are various approaches which >> do work, and there are those which don't - then you're stuck with it >> for the foreseeable future. >> >> You need to do your homework seriously - check reviews, NSS reports, >> anything you can lay your hands on. Then, get your hands on a unit to >> evaluate them. And when you test these devices, make sure you put >> them in a production environment (passively - I'm not that stupid) to >> get them to inspect YOUR traffic. Don't rely on sending a PCAP to >> someone and getting results, because you don't know how they've tested >> your traffic, or if indeed they have tested it at all, just run basic >> traffic distribution analysis on it and chucked the resulting figures >> into a program to see the theoretical throughput. >> >> And don't just test for raw IPS throughput - although it's important - >> make sure the stuff you throw at it is caught - make sure it's proper >> attempts to exploit vulnerabilities not just Nessus / NMAP scans, make >> sure your testing rig replays traffic properly and doesn't provide an >> approximation of TCP traffic, and lots of other things which need to >> be done properly to test the solution effectively. >> >> Raw throughput is only one element. If you don't get proper >> inspection, then the things are essentially expensive doorstops. >> >> On 14 July 2010 16:50, pacific.croc <[email protected]> wrote: >> >> > >> > Juniper also has the newly launched SRX series of appliances which if I am >> > not wrong can deliver up to 30 Gbps >> > >> > >> > On 7/14/2010 5:02 AM, Jeffrey Chen wrote: >> > >> >> I think they've been here for a while now: >> >> >> >> Palo Alto Networks PA-4000 IPS/Firewall - 10GB >> >> Top Layer IPS 5500-1000 - 4GB individually, up to 32GB in clustering >> >> mode. >> >> Juniper IDP-8200 - 10GB >> >> >> >> Just off top of my head. I think there are few others out there as >> >> well. >> >> >> >> >> >> -- >> Dave Venman >> >> ----------------------------------------------------------------- >> Securing Your Online Data Transfer with SSL. >> A guide to understanding SSL certificates, how they operate and their >> application. By making use of an SSL certificate on your web server, you can >> securely collect sensitive information online, and increase business by >> giving your customers confidence that their transactions are safe. >> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194 >> >> > > -- Vijay Upadhyaya BS-7799 Lead Auditor CISA CISSP CSGA Nortel ASF Training Certification ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
