IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: buineach <securesolutions () gmail com>
Date: Thu, 10 Mar 2005 16:28:57 +0000
Stephane What is an appliance these days !! Answer: everything What is a checkpoint fw Answer a dell pc running linux What are most IPS, If you look past the appliance label you will find a Linux kernel/OS. So what does this run on, a central cpu I think you will find. How does it do its string searching, ? Most use an agere systems string search engine, hanging off a PCI bus. How do you ensure all traffic is coalesced to ensure it cannot evade the string search engines signature checks. You will find that the cpu has to deal with fragmentation and tcp reassembly. Any true IPS must be stateful and therefore cannot just simply forward fragments. So when i sent in tcp fragmented garbage to these devices and try to send in legitimate traffic to the same destination these units generally come to a standstill. This is why I say it is a PC architecture because it is . Look at the vendors who failed the NSS test and you will see a common theme here. And look at the tools used to test it. A managed service from anyone when used as an IDS is great because you dont have to look at the false positives tthat they have disabled because they are inaccurate. What about the hundreds of people who deployed IDS without a managed service and found it impossible to tune. I think you will admit that the technology used by IDS vendors is almost the same as the appliance IPS they now promote. As a test send a 1Mb/sec synflood through any one of these devides, You will see it trigger a synflood burt look on the dest server syn received from the spoofed sources. These devices are at best good for managed IDS but for 24/7/365 uptime of your network :-) My problem really is that they are promoting this technology for inline protection when they can so easily become the main bottlenech in any network. Mick On Wed, 09 Mar 2005 11:33:55 +0100, Stephane <stephane.d () ecologie net> wrote:
buineach wrote:Stephane My opinions here are based on testing I did against all these vendors in the IPS space. Netscreen IDP, Checkpoint (whatever) & ISS Proventia are PC based solution like all PC based solutions it has a bad foundation to build [...]Sorry, what do you mean by PC based solution? ISS Proventia A and G are appliance running a cut-down dedicated Linux kernel. By PC based you mean Site Protector working on Windows? 5 years ago, we were sure the firewalls have to have the solution for all the network stuffs we do not want out of an unsecure network. Force to see it is completely wrong by the time we are having. By the level of experience, I am almost sure ISS and its Managed Security Services are the best to provide the 24x7 SLA we need. Furthermore, I do not trust Cisco, Network Associates or the Yellow_Stuff since IDS and even IPS is not their core business at all, they are just getting profits out of their sales channels ;-) 10 years ago, ISS was already on the game, this does the difference. Stephane
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- How to choose an IDS/FW MSS provider Stephane (Mar 07)
- RE: How to choose an IDS/FW MSS provider Randy Golly (Mar 09)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Kevin (Mar 11)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- <Possible follow-ups>
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)