• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

recommend an internal IPS

F

FreshPrince

Diamond Member
what are you guys using to protect your internal networks?

budget is around $20K

looking for a very simple to manage that does not require a lot of hands on pampering. I don't want to spend 50% of my time looking at false positives.

what can I look at for this price?

thanks
 
Mainly cisco IDS/IPS appliances or blades.

But I'm sure there are better ones out there.

what are you trying to accomplish?
 
Originally posted by: spidey07
Mainly cisco IDS/IPS appliances or blades.

But I'm sure there are better ones out there.

what are you trying to accomplish?
Click to expand...

cuz the auditor said so?

but I want to get the best bang for the buck as well...

I did some research online and the cisco one does not block malicious activities :/
 
Originally posted by: FreshPrince
Originally posted by: spidey07
Mainly cisco IDS/IPS appliances or blades.

But I'm sure there are better ones out there.

what are you trying to accomplish?
Click to expand...

cuz the auditor said so?

but I want to get the best bang for the buck as well...

I did some research online and the cisco one does not block malicious activities :/
Click to expand...

Cisco IPS systems block many types of malicious activity. What exactly do you want to do with your 20k? Just buy an IPS? Or develop a whole new security policy?



 
Last year I would have said Tipping Point, but they're owned by 3com now, and I think 3com sucks. From what I hear though, TP remained it's own entity for the most part. You might check them out. They had top notch stuff, especially for internal applications.

Juniper also makes good IPS systems, and ISS always seems to get good marks whenever someone does an IPS Roundup, but I hear a lot of bad stuff about them too.

From what I've seen, the IPS area is one of the few areas where Cisco is really lacking. Although, I haven't checked up on their product in the last 8 months, so it may have changed. Last time I checked, their systems generated a lot of false positives and false negatives, and were not very easy to use. That says a lot coming from me. I'm a big Cisco guy.
 
Originally posted by: Boscoh
Last year I would have said Tipping Point, but they're owned by 3com now, and I think 3com sucks. From what I hear though, TP remained it's own entity for the most part. You might check them out. They had top notch stuff, especially for internal applications.

Juniper also makes good IPS systems, and ISS always seems to get good marks whenever someone does an IPS Roundup, but I hear a lot of bad stuff about them too.

From what I've seen, the IPS area is one of the few areas where Cisco is really lacking. Although, I haven't checked up on their product in the last 8 months, so it may have changed. Last time I checked, their systems generated a lot of false positives and false negatives, and were not very easy to use. That says a lot coming from me. I'm a big Cisco guy.
Click to expand...

I agree that Cisco is lacking in this arena.

IPS is really kinda new (less than 4 years).

For what it is worth, grill the auditors on what exactly they want (they're schoolled on posturing, but I'm skilled in body language and have the knowledge to back it up). They tend to have no idea what they are talking about. literally. they have no idea what they are talking about and are about the most clueless people to ever stop foot into the security arena.

grill them. put them in their place. own them. ask them to define where they learned these practices (put the onous on them to prove their case and then knock it down) and how it applies to this account.

I hate IT auditors with a severe passion. And I own them in every meeting I've ever had with them. Question their education, question their experience, question their every move.



You own them. Not the other way around.
 
I have no experience dealing with auditors, although my knowledge of them is much how spidey describes them.

I found it interesting that when I took my CISSP exam this past weekend, not one of the 70+ people in the room raised their hand when asked if they were an auditor, but at least one person raised their hand for every other area of InfoSec the head proctor mentioned. I just that was funny.

Anyways.

There are some important considerations you need to be aware of when looking at internal IPS's, and your auditor probably doesn't even know these concerns exist.

One of the main considerations are whether or not the IPS can inspect, block, and pass traffic at wire speed. You do NOT want to put an IPS rated for 500mbps on a gigabit backbone. The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
 
Originally posted by: Boscoh
I have no experience dealing with auditors, although my knowledge of them is much how spidey describes them.

I found it interesting that when I took my CISSP exam this past weekend, not one of the 70+ people in the room raised their hand when asked if they were an auditor, but at least one person raised their hand for every other area of InfoSec the head proctor mentioned. I just that was funny.

Anyways.

There are some important considerations you need to be aware of when looking at internal IPS's, and your auditor probably doesn't even know these concerns exist.

One of the main considerations are whether or not the IPS can inspect, block, and pass traffic at wire speed. You do NOT want to put an IPS rated for 500mbps on a gigabit backbone. The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

that's a good point, I'll keep that in mind...

so far, from all the comparisons I've ready, TippingPoint is much recommended...so is the ISS device. Other than that, a very expensive TopLayer devices is also highly recommended, but no where in my budget...nor is ISS. I'm also looking into Checkpoint Interspect, and so far it looks pretty good.

Since I only have $20K, it looks like TP or Interspect.

I also read about the McAfee and Symantec IPSes..they both did not fare so well...

here's a good link: ips compare

I'm not sure why they rated so many devices as "no" in malicious traffic blocking, but there are only a handful of them...and TP is one of them.

The radware defensePro looks like a winner, but just a bit overbudget..maybe I can change that.

so many choices... 🙁
 
TippingPoint can definitely block malicious traffic. We demo'd the box on a test network and started a worm outbreak, and it blocked every bit of it.

I haven't heard good things about checkpoint, but I have heard good things about TopLayer and Radware.
 
Originally posted by: Boscoh
TippingPoint can definitely block malicious traffic. We demo'd the box on a test network and started a worm outbreak, and it blocked every bit of it.

I haven't heard good things about checkpoint, but I have heard good things about TopLayer and Radware.
Click to expand...

which TP? unityone or one of the newer ones? I'm looking at the 5000 model.
 
Oh...UnityOne. I wasn't aware they had a newer model. Shows how much I've kept up with 'em since they got bought by 3com.
 
GFI may have something to accompolish what you need. We have auditing setup servers and GFI software scans event logs and alerts us to important events. Because it is impossible to look through 1 million + logs everyday.

Blackice would also achieve desired results.
 
Originally posted by: blemoine
GFI may have something to accompolish what you need. We have auditing setup servers and GFI software scans event logs and alerts us to important events. Because it is impossible to look through 1 million + logs everyday.

Blackice would also achieve desired results.
Click to expand...

GFI makes IPSes? :Q

blackice is not "enterprise" enough
 
no not really. What is your auditor wanting to acompolish with an internal IPS? The reason i say this is that i would rather be notified of an event and take care of it than having people call all day and say they are being blocked from accessing their files. i guess it also depends on the amount of users on your network and amount of people on your IT staff.
 
IT Auditor - "you need to have IPS"

IT Manager - "do you even know what IPS is?"

IT Auditor - "No, but you need it."
 
Spidey07: we must have the same auditors.

IT Auditor: "Are your backup tapes stored in a place that would protect them in the event of an EMP attack?"

Me: "They are stored in our offsite vault which is made up of 4 feet concrete walls. What does your EMP specfications say?"

IT Auditor: "Well actually we don't have any information on EMP attacks."



 
Originally posted by: blemoine
Spidey07: we must have the same auditors.

IT Auditor: "Are your backup tapes stored in a place that would protect them in the event of an EMP attack?"

Me: "They are stored in our offsite vault which is made up of 4 feet concrete walls. What does your EMP specfications say?"

IT Auditor: "Well actually we don't have any information on EMP attacks."
Click to expand...

LOL 😛

nah, they will most likely ask if your tapes are encrypted.

we're not just implementing it because they told us to...

It is a needed device because we don't have the staff like you said. If I had 10 people on staff, I'd just make them patch systems all day and we don't have to worry about internal hacks as much. But when you're running an Enterprise class network with only a limited amount of people, you want to spend the money to make your guys' jobs easier. Otherwise, they'd all quit on you! Oh wait, I've had 3 quit on me in the last 3 months because the work load was too great 🙁

anyways, I still haven't devided, but I've been reading up on Sourcefire's 3D system and it looks damn good! sourcefire is the godfather of IDS/IPS so they might be able to help us out. They whole system is around $20K so this might actually work out! I hope the pampering is low though...

 
nah, they will most likely ask if your tapes are encrypted
Click to expand...

IT Auditor: "Are your backup tapes stored in a place that would protect them in the event of an EMP attack?"
Click to expand...
believe it or not this was an actual conversation. The resoning they said was that an EMP attack would corrupt magnetic storage (tapes & hard drives). Their biggest problem is that they come in with a list of "keywords" that they have to see in your policy. Very little thought goes into the audit process. you can be perfect in everything you do but if you don't have it in policy or don't have it logged then they scold you as if you have been doing nothing at all.

 
Originally posted by: blemoine
nah, they will most likely ask if your tapes are encrypted
Click to expand...

IT Auditor: "Are your backup tapes stored in a place that would protect them in the event of an EMP attack?"
Click to expand...
believe it or not this was an actual conversation. The resoning they said was that an EMP attack would corrupt magnetic storage (tapes & hard drives). Their biggest problem is that they come in with a list of "keywords" that they have to see in your policy. Very little thought goes into the audit process. you can be perfect in everything you do but if you don't have it in policy or don't have it logged then they scold you as if you have been doing nothing at all.
Click to expand...

oh I know...I've been through 3 audits last year, ranging from the government to 3rd party independent companies. They all sucked, and I had to concentrate all my energy on them and had to put project on hold because of them. I hate them with as much passion as you do and yes, I know most of them are idiots. 😛

This particular one I'm dealing with now...is their top auditor...

 
Originally posted by: Boscoh
The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

Does your router "fail open"? How about your firewall?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top