Re: IPS recommendations

[Jeff Kell <jeff-kell () UTC EDU>]

A decade ago (more or less) we had a Cisco PIX firewall.  It had some
IDS/IPS at the time, targeted at some of the threats of the time.  It
did some things very well, but did not scale.

We had our first Cisco ASA firewalls right after their introduction. 
They scaled much better than the PIX.  We also got the AIP-SSM IPS
modules for them.  They were excellent at the time, directed at the
threats at the time.  It did more things very well, but we're starting
to approach it's scale of bandwidth.  The IPS modules were catching less
and less (and subsequent things behind them picking up more and more),
so I put them in bypass mode over the summer as they were a bottleneck
running inline.

We have been doing Snort in IDS mode (passive) for some time.  It does
some things very well.  (Detecting a pattern here?)  It might could do
some more things well if we could afford the official commercial
appliance offerings with the full Sourcefire enhancements, but as with
most NextGeneration FireWall or Unified Threat Management solutions, it
gets a little difficult separating the wheat from the chaff in the
marketing claims.

We added a TippingPoint appliance a couple of years ago.  It could
implement blocking inline what Snort was telling us after the fact.  We
also have an N-series appliance which supports the reputation database,
a feature which scales to incredible heights that we could not get out
of other approaches.  It does some things very well.

We also have a Procera.  It can do some blocking (it can nail individual
URLs), and does some things very well.  But it doesn't scale up well on
that particular feature.

I'm not sure there is a 100% cure-all box you can simply plug in and
everyone lives happily ever after.  We have tried to combine
best-of-breed and get the cumulative benefits of each, and at the same
time we can avoid their individual weaknesses and redirect them at
something better suited for the job. 

And the more eggs you put into one basket, it appears the more expensive
it is per megabit of traffic.  If you budget scales up to that, it's an
option too.

Just another opinion :)

Jeff

On 11/9/2012 6:26 PM, King, Ronald A. wrote:
> We too have TippingPoint EOL equipment.  We purchased two Palo Alto
> firewalls and are very happy with them.  In fact, they caught a bug
> today that triggered further investigation.  Thanks to them, it was
> easy to ID the host with user ID that was attacking our server.  We
> had not considered them as an alternative to TippingPoint, but, with
> this conversation and recent events, well, let's just say we are now
> open to the idea that we may already have our replacement.
>
>  
>
> Note: The PAN firewalls are Next Gen (NG).  I have learned that they
> aren't the standard definition of a firewall.  The recommended way to
> create rules is based on the application rather than port.  The bug I
> mentioned earlier was over port 80, generally allowed for your
> internal hosts to talk out to port 80, but, much like an IPS, it
> triggered on a Trojan filter.  We have a rule set for one of our web
> servers to only allow applications "web-browsing" and "web-crawler"
> from the Internet.  With the ASAs we are moving from, we allowed
> anything on port 80.
>
>  
>
> +2 here.
>
> / /
>
> /Ronald King/
>
> /Security Engineer/
>
> /Norfolk State University/
>
> /http://security.nsu.edu <http://security.nsu.edu/>/
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Entwistle, Bruce
> *Sent:* Thursday, November 08, 2012 2:27 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] IPS recommendations
>
>  
>
> Our current IPS is reaching EOS, so we would take this opportunity to
> look at alternatives to our existing Tipping Point unit.  I was
> looking to see what everyone else is using and how well it is working
> for them.
>
>  
>
> Thank you
>
> Bruce Entwistle
>
> University of Redlands
>
>