RE: Top Layer Attack Mitigator - Experience?

[James Pichardo <james.pichardo () gmail com>]

Hi,

We've been using TL 2800 platform for about 6 months and recently
switched to their new 5500 platform. Our experience has been quite
good regarding the hardware and also we feel we are working with guys
who really have experience in DDoS. That's the best part of TL; They
have very knowledgeable security engineers with real experience on
high traffic attacks and they just make sure the IPS fits well on your
 infrastructure.

Hardware side, let me tell you this: we went through really dificult
times with huge attacks. As most companies it took us completely
unprepared. Our PIX 535 behaved like a small hub during the attacks,
completely unoperational and unable to sustain the SYNs/sec traffic.
So we went shopping and of course went to the big names first. We
initially deployed a NetScreen 5200 and after a couple of attacks it
became useless as well. At that point our ISP suggested TL. We were
not sure at the beginning since the company can be considered small if
compared with Cisco and NS, but TL offered us a trial. This just
worked well. They even tested the IPS deployment with IXIA traffic
generators and proved to us that the 2800 (it is a cluster of 8 IPS)
sustained attacks of 550-600,000 SYNs/sec. We haven't had very large
attacks since then (only small attacks of about 60,000 SYNS/sec), but
after the equipment being working flawlessly for the las 6 months we
are pretty confident we are in good hands.

The only thing I could mentioned for the 2800 was the management
interface. It seemed clumsy to me at times but the new platform (5500)
has made excellent improvements
on this side. They also lack a very comprehensive MIB but the
enhancements to the alarms triggering mechanism (you can now generate
syslog messages that alert when SYNs/sec are above a threshold level),
are steps on the right direction. This guys seemed to work hard
improving their IPS offer, they have made the architecture more
modular and even added a Firewall module which should help network
engineers to enforce security policies and save some CPU cycles on the
IPS unit.

Overall I see the TL guys in a very confortable position on the IPS
market and if their support continues to be as good, they'll just
doing the right stuff.

James.