• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

recommend an internal IPS

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Tipping Point seems good, and McAfee made me want a unit at home. Haven't gotten to play with them personally though. Sourcefire makes my nether regions all tingly. Enterasys' Dragon products have always been fun.

Almost any system out there is going to require a decent number of "man hours" to setup, tune, and monitor. Eliminating false positives is a worthy goal, I just don't think it can be reached (without a good number of false negatives). 🙁
 
Originally posted by: n0cmonkey
Originally posted by: Boscoh
The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

Does your router "fail open"? How about your firewall?
Click to expand...

A Firewall or router can usually be configured with statefull failover. Does anyone make an IPS that does stateful failover?
 
Originally posted by: w0ss
Originally posted by: n0cmonkey
Originally posted by: Boscoh
The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

Does your router "fail open"? How about your firewall?
Click to expand...

A Firewall or router can usually be configured with statefull failover. Does anyone make an IPS that does stateful failover?
Click to expand...

Tipping point has stateful redundancy. I don't remember enough of the details to try and explain the options though. 😉

McAfee has "fail open" capabilities, IIRC.
 
I talked with sourcefire today....they're being acquired by CheckPoint!!! 😀

their product is what I would implement if I had the money...

the gigabit ips device alone is $25K

add another $4K for the RNA and another $17K for the management server and it comes to...

$50K with support 🙁

only $30K above budget 😛

Tipping point still looks good, I think the 5000e is around $10K

I checked out that NSS website and they just recently reviewed SecureWerks, which is a managed IPS solution....I might go with that instead.

 
Originally posted by: n0cmonkey
Originally posted by: Boscoh
The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

Does your router "fail open"? How about your firewall?
Click to expand...


How can a router fail open? A router directly interacts and manipulates traffic in such a way that even if it did fail open, the traffic probably wouldn't go anywhere anyways. The same thing can be said with many firewalls, which also perform network segmentation and routing. In these cases you use failover, because a device that fails open would do absolutely no good unless it were working at Layer 2 pass-through.

IPS's typically dont route traffic between subnets or VLANs. They inspect traffic and pass it on or filter it - thats it. No NAT, no routing, no OSPF or EIGRP. If the device fails, failing open keeps the traffic flowing. Sure, you could use stateful failover, but with the price of each IPS unit being so high, failing open is often a better alternative for some customers (but not all).

IIRC, Tipping Point's UnityOne series could re-program it's ASICs on the fily to take over functions of other failed ASICs. It also had integrated fail open, and could be configured to fail over to another unit. I dont know if the same is true for their new series.
 
Originally posted by: Boscoh
Originally posted by: n0cmonkey
Originally posted by: Boscoh
The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

Does your router "fail open"? How about your firewall?
Click to expand...


How can a router fail open? A router directly interacts and manipulates traffic in such a way that even if it did fail open, the traffic probably wouldn't go anywhere anyways. The same thing can be said with many firewalls, which also perform network segmentation and routing. In these cases you use failover, because a device that fails open would do absolutely no good unless it were working at Layer 2 pass-through.

IPS's typically dont route traffic between subnets or VLANs. They inspect traffic and pass it on or filter it - thats it. No NAT, no routing, no OSPF or EIGRP. If the device fails, failing open keeps the traffic flowing. Sure, you could use stateful failover, but with the price of each IPS unit being so high, failing open is often a better alternative for some customers (but not all).

IIRC, Tipping Point's UnityOne series could re-program it's ASICs on the fily to take over functions of other failed ASICs. It also had integrated fail open, and could be configured to fail over to another unit. I dont know if the same is true for their new series.
Click to expand...


it is
 
Originally posted by: Boscoh
Originally posted by: n0cmonkey
Originally posted by: Boscoh
The other major consideration is how the device fails. It should fail open, that is...it should pass traffic just like a normal network cable if the device fails, including if it fails without power. Some vendors include this capability as an add-on that you have to pay for. You want this feature. Otherwise, if the IPS fails, it's like cutting your network cable and putting a rock in between the two severed pieces. It just wont work.

Just thought I'd throw that out there.
Click to expand...

Does your router "fail open"? How about your firewall?
Click to expand...


How can a router fail open? A router directly interacts and manipulates traffic in such a way that even if it did fail open, the traffic probably wouldn't go anywhere anyways. The same thing can be said with many firewalls, which also perform network segmentation and routing. In these cases you use failover, because a device that fails open would do absolutely no good unless it were working at Layer 2 pass-through.

IPS's typically dont route traffic between subnets or VLANs. They inspect traffic and pass it on or filter it - thats it. No NAT, no routing, no OSPF or EIGRP. If the device fails, failing open keeps the traffic flowing. Sure, you could use stateful failover, but with the price of each IPS unit being so high, failing open is often a better alternative for some customers (but not all).

IIRC, Tipping Point's UnityOne series could re-program it's ASICs on the fily to take over functions of other failed ASICs. It also had integrated fail open, and could be configured to fail over to another unit. I dont know if the same is true for their new series.
Click to expand...

If critical pieces of your security infrastructure stop working you don't want traffic going through them untouched.

EDIT: I want to make it clear that this is my opinion. I also believe it's worth it to spend the money for redundancy. 😉
 
Originally posted by: n0cmonkey

If critical pieces of your security infrastructure stop working you don't want traffic going through them untouched.
Click to expand...


Maybe I should explain again what I said previously:
Originally posted by: Boscoh



If the device fails, failing open keeps the traffic flowing. Sure, you could use stateful failover, but with the price of each IPS unit being so high, failing open is often a better alternative for some customers (but not all).
Click to expand...

What is the Single Loss Expectancy and how often are you expecting it to occur? If you have a 24x7x4 replacement policy on your IPS, and you're expecting an event to happen often enough to occur in that 4 or 5 hour window on your internal network, and it would cost you more than the $20k (for example) than you spent for the IPS, then you should probably get another one and do failover, like you said. However, thats not always feasible for some companies. If you have a 24x7x4 replacement policy, you might determine that you're just fine being without your internal IPS for four hours. In that case, you'd want fail-open.

If your policy states that all traffic must be filtered by the IPS at all times, with no down-time of the IPS units, then you're absolutely correct that you'd want a device with intra-device redundancy and stateful failover to another unit.
 
Originally posted by: Boscoh
Originally posted by: n0cmonkey

If critical pieces of your security infrastructure stop working you don't want traffic going through them untouched.
Click to expand...


Maybe I should explain again what I said previously:
Originally posted by: Boscoh



If the device fails, failing open keeps the traffic flowing. Sure, you could use stateful failover, but with the price of each IPS unit being so high, failing open is often a better alternative for some customers (but not all).
Click to expand...

What is the Single Loss Expectancy and how often are you expecting it to occur? If you have a 24x7x4 replacement policy on your IPS, and you're expecting an event to happen often enough to occur in that 4 or 5 hour window on your internal network, and it would cost you more than the $20k (for example) than you spent for the IPS, then you should probably get another one and do failover, like you said. However, thats not always feasible for some companies. If you have a 24x7x4 replacement policy, you might determine that you're just fine being without your internal IPS for four hours. In that case, you'd want fail-open.

If your policy states that all traffic must be filtered by the IPS at all times, with no down-time of the IPS units, then you're absolutely correct that you'd want a device with intra-device redundancy and stateful failover to another unit.
Click to expand...

we're going with the single device first and then do the fail over next year...we're not made of money you know 😉

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top