Time to talk IPS (Intrusion Prevention Systems)

[FreshPrince]

This seems like the hot topic to talk about nowadays...let's discuss which system/service your company is using and your feedback about their product.

I'll start: we use a company called secureworks....but lately they want to raise our price by $2000/year for the next 5 years....which is BS :| This is why I'm looking for a new IPS service provider...or an applicance. Otho, the latter might not be good since it means internal management of IPS, which for smaller companies...means the admin gets more work to do.

Anyways, share you knowledge about IPS and which product your company is using.

-FP

 

[Cheetah8799]

I work at a small private college. Our ISP does not offer any service beyond the dual T1 connections that we use.

Internally we have just upgraded our Checkpoint firewall server. I'm not the admin for it, but it works pretty well. Not that anyone really wants to hack us, right?... We keep fairly strict control over what is open on the firewall. Most all of the public servers are in the DMZ, with a couple exceptions.

We also use Packeteer for our packet shaping, which helps control the amount of traffic for file sharing and such.

For internal IPS, I think the Snort project may be useful. link. Our network admin set this up once on our network, but since management didn't deem it worthy of the time and effort required to maintain it, I think the whole idea got left in the dust...

 

[FreshPrince]

Originally posted by: Cheetah8799
I work at a small private college. Our ISP does not offer any service beyond the dual T1 connections that we use.

Internally we have just upgraded our Checkpoint firewall server. I'm not the admin for it, but it works pretty well. Not that anyone really wants to hack us, right?... We keep fairly strict control over what is open on the firewall. Most all of the public servers are in the DMZ, with a couple exceptions.

We also use Packeteer for our packet shaping, which helps control the amount of traffic for file sharing and such.

For internal IPS, I think the Snort project may be useful. link. Our network admin set this up once on our network, but since management didn't deem it worthy of the time and effort required to maintain it, I think the whole idea got left in the dust...

Correct me if I'm wrong, but isn't snort strickly IDS? Atleast that's how it was last time I played with it. I'm glad you responded, but in this thread I'm looking more of an IDS that's able to prevent intrusions...therefore an IPS. Checkpoint is a tight little package for FW though, I like it a lot

 

[Boscoh]

Check out Netscreen, and TippingPoint.

I've heard and seen bad and good about both, but overall they are pretty solid.

We eval'ed Netscreen and TP, we'll probably end up going with Netscreen (if it's approved by mgmt) because they are cheaper. TP I feel is a more solid product, but they are expensive, mostly because they designed their box to be put in the core of your network. NS is geared more towards the edge...thats the impression I got. NS uses Dell servers as their platform, where TP's unit was originally designed to be a multi-gig ASIC core switch.

NS works out to be about 8k per interface you want to protect. TP works out to be about 12k.

I think networkcomputing.com just did a review of a bunch of IPS systems. You might want to check it out. I cant grab the link for you right now because their site appears to be down.

EDIT: It wasnt NWC, it was NW Fusion. Here's the link to the articles:

http://www.nwfusion.com/reviews/2004/0216ips.html

 

[FreshPrince]

Originally posted by: Boscoh
Check out Netscreen, and TippingPoint.

I've heard and seen bad and good about both, but overall they are pretty solid.

We eval'ed Netscreen and TP, we'll probably end up going with Netscreen (if it's approved by mgmt) because they are cheaper. TP I feel is a more solid product, but they are expensive, mostly because they designed their box to be put in the core of your network. NS is geared more towards the edge...thats the impression I got. NS uses Dell servers as their platform, where TP's unit was originally designed to be a multi-gig ASIC core switch.

NS works out to be about 8k per interface you want to protect. TP works out to be about 12k.

I think networkcomputing.com just did a review of a bunch of IPS systems. You might want to check it out. I cant grab the link for you right now because their site appears to be down.

EDIT: It wasnt NWC, it was NW Fusion. Here's the link to the articles:

http://www.nwfusion.com/reviews/2004/0216ips.html

ya, I saw that article too, and I think they recommended something else. I'm definately going to look into that, I think F5 also has a pretty solid product .

 

[Boscoh]

For content-based IPS's, they recommended NS, TP, and ISS.

I dont know too much about ISS, only that from the people who have told me they think both NS and TP have a good product all said that ISS has a lot of quirks and bugs. Take that for what it's worth.

Never looked at F5.

Keep in mind, with the NS, you'll need to purchase a seperate 900 dollar bypass unit for each interface so the traffic can fail-open to L2 passthru mode if the device fails. TP will fail-open to L2 without a bypass unit if the unit fails. This is of course assuming that you would want traffic to flow unfiltered if the device fails.

 

[n0cmonkey]

I think Enterasys' Dragon is the best IDS product out there. It also has a function to kill or prevent connections. I belive they categorize it as sniping. Is this what you mean by IPS?

Inline snort IDSes have sniping abilities, I think.

 

[n0cmonkey]

Originally posted by: Boscoh
For content-based IPS's, they recommended NS, TP, and ISS.

I dont know too much about ISS, only that from the people who have told me they think both NS and TP have a good product all said that ISS has a lot of quirks and bugs. Take that for what it's worth.

Never looked at F5.

Keep in mind, with the NS, you'll need to purchase a seperate 900 dollar bypass unit for each interface so the traffic can fail-open to L2 passthru mode if the device fails. TP will fail-open to L2 without a bypass unit if the unit fails. This is of course assuming that you would want traffic to flow unfiltered if the device fails.

ISS RealSecure has a history of being crap (My opinion only!)

 

[FreshPrince]

has anyone heard of Sanctum's Appshield?

 

[Boscoh]

One of the difficulties a lot of IDS products have in stopping attacks is that often times they just get a copy of the packet. So once they've ID'd a packet as an attack, the first packet has already gotten through. Then for however long it takes the IDS to modify ACL's or do whatever, other packets could have gotten through. I believe all IDS's that hang off a span port or take copies of traffic off the backplane of a switch act like this.

As for "IDS" devices that sit inline and block traffic from getting through, I believe that is what an IPS is all about.

 

[FreshPrince]

Originally posted by: Boscoh
One of the difficulties a lot of IDS products have in stopping attacks is that often times they just get a copy of the packet. So once they've ID'd a packet as an attack, the first packet has already gotten through. Then for however long it takes the IDS to modify ACL's or do whatever, other packets could have gotten through. I believe all IDS's that hang off a span port or take copies of traffic off the backplane of a switch act like this.

As for "IDS" devices that sit inline and block traffic from getting through, I believe that is what an IPS is all about.

hmm, that brings up a good point...which product(s) actually block that 1st packet?

another question I'll to to my "what to ask IPS vendors" list thx!

 

[Boscoh]

That's the point of IPS's.

They sit inline and inspect stuff on the fly and hold it before they allow it to pass. Its only for a brief, brief time, you dont (shouldnt) even notice the delay in your network. They block what you tell them to block, just like IDS's.

 

[n0cmonkey]

I believe Enterasys's Dragon can sit inline and block the first packet. If you *need* confirmation (and can't find it on enterasys.com), I can check some of the documents there. If I still have a password or the docs stored somewhere... Also check out snort, I think I remember reading that it can sit inline, but I'm not positive.

EDIT: nm, enterasys changed thier support site around. Not sure where to find things just yet...

 

[FreshPrince]

are there any external or edge based IPS? Meaning:

T1 -> IPS -> Router -> Firewall?

The one you guys are talking about is this right?

T1 -> Router -> Firewall -> IPS ?

Ultimately it should be like this:

T1 -> IPS -> Router -> Firewall -> IPS ... if you have the budget

 

[Boscoh]

I believe the industry still very loosely uses the terms IDS and IPS. I think the general understand with most people is that IDS's are reactionary devices that react after recieving a copy of a packet and are generally designed to be very very good at collecting forensics. IPS's are devices which take a more proactive role and filter everything, blocking what you define and not letting it through unless it's allowed. IPS's can be thought of like firewalls with more inspection capabilities.

As for placement, both of the ones I mentioned can be used wherever you want. Edge, between Access and Distro, between Distro and Core, or in the Core. TP is more designed to be in the core.

If you put the device outside the firewall, typically two things happen:
You lose some manageability of the device
You cant inspect VPN traffic if it terminates at or behind the firewall (because its still encrypted)

So ideally, yes, you would want one in front of your firewall to ease the load on your firewall, and if you had VPN connections you'd want one behind your VPN head-end to filter decrypted VPN traffic. VPN is a major point of infection in networks.

 

[FreshPrince]

Originally posted by: Boscoh
I believe the industry still very loosely uses the terms IDS and IPS. I think the general understand with most people is that IDS's are reactionary devices that react after recieving a copy of a packet and are generally designed to be very very good at collecting forensics. IPS's are devices which take a more proactive role and filter everything, blocking what you define and not letting it through unless it's allowed. IPS's can be thought of like firewalls with more inspection capabilities.

As for placement, both of the ones I mentioned can be used wherever you want. Edge, between Access and Distro, between Distro and Core, or in the Core. TP is more designed to be in the core.

If you put the device outside the firewall, typically two things happen:
You lose some manageability of the device
You cant inspect VPN traffic if it terminates at or behind the firewall (because its still encrypted)

So ideally, yes, you would want one in front of your firewall to ease the load on your firewall, and if you had VPN connections you'd want one behind your VPN head-end to filter decrypted VPN traffic. VPN is a major point of infection in networks.

man, you're just full of good ideas

ya, VPN has always been one of those things that you're happy you got it working...but you can't sleep at night knowing you user's kids are downloading mp3's(with viruses) off of Kazaa or whichever is the more popular P2P program these days :|

having a IPS/FW behind the VPN is another good idea