I'm interested to know people's experinces with IPS's.

There is an article on networkworld.com comparing some higher-end models.

I've recently been asked to look at IPS's for a perspective client. As I'm not a security specialist generally I have a on/off (up to layer 4) approach to security. If it's not needed - turn it off/block it. If it is - let it through. Some may shun this approach but the data I deal with isn't particually sensitive, until now.

Do IPS's only examine traffic that is allowed to pass though your open ports? Or do they examine all traffic on a particular interface for Anomalies.

Has anyone seen an attack happen and be mitigated by one of these devices?

Would an ASA5510 with the AIP SSM pick-up something like a host trying to connect to a port many times within a specified time frame? I think this is called a brute-force attack.

How fast are Cisco with signatures? If there is a zero-day exploit for a particular app and the port is open, is it game over?

Do they pickup on port scans and then instantly block all traffic coming from that source?

This new app is going to be facing the internet and processing sensitive data. I'll do all the usual stuff like putting the server in a DMZ, using a reverse proxy if it's http. If I tell the developers they have to use a secure tranfer method (SSL) then is putting in an IPS a waste of time?

I typically stay away from Cisco IPS unless the entire network is Cisco and there is no prospect of changing. Cisco IPS tends to sync up really well with other Cisco gear.

You'll hear rfn_jhardy talk about TippingPoint for IPS, their stuff is good too, quite scalable.

Knowing me, I think you know what's coming: I use snort. I have had good experiences particularly because it's really flexible and quite powerful.

Also, IPS depends largely on where you work. For example, some networks don't need them at all, while some completely rely on them. Most of the Fortune 500 probably have dedicated IPS teams, folks who do nothing but, I'm sure they're quite busy too.

Typically IPS gear runs a database of security anomalies (traces of suspicious-looking behavior)... so essentially they know what looks dangerous and what looks innocuous. They match up traffic with that database, and it if fails, they block (or instruct other gear to block) said traffic.

Naturally, this type of system could block legit traffic as well, which does happen sometimes, but vendors do their best to streamline their algorithms to make this not happen.

As for all of your particular questions, it depends on a vendor-by-vendor basis. You'd be best to look at Cisco's IPS/IDS tracing mechanisms and algorithms on their web site, there's quite a bit of info out there on it.

Just figured I'd chime in

_________________
Reasonably un-nerdy blog:
americanwerewolfinbelgrade.wordpress.com/

Ian's right... I will pimp TippingPoint (especially since they just left 3Com).

Their stuff scales HUGE (but starts as small as you need it to be). They have SNORT capabilities via the free signature editor/creator that you can download from them.

I think the best thing about TippingPoint is that they started and "own" ZDI (Zero Day Initiative). They also pay out to anyone who discovers a security leak and report it.

Out of the box, the system is really ready to be put into production and unlike Juniper's system that has to do host scan and applies rules that only apply to that host, this just eliminates all known problems (you can customize what to turn on and off) for whatever OS's you want to lock down (*nix, Apple, Windows, ETC).

We also use them to deal w/ Oracle security patches. We block it at the edge and don't have to deal w/ patching the APPs and DBs.

The way the TippingPoint system works is you have an IN and an OUT interface in a resource group. You usually put it inbetween the LAN and FIREWALL LAN port. It will scan all traffic looking for specific signatures. If it sees a specific sig (i.e. nimda) it will perform whatever the default or what you set the filter action to (default is block).

You can use the TippingPoint to block port-scan type attacks by masking what APPs are responding on the port. Usually this isn't recommended as the some applications will break with that type of response. It can also do traffic patterns though. If it see's a lot port queries (open/close) type traffic, it will flag that as anamolous traffic and restrict it, quarantine it (sand box), etc. It really depends on what you want it to do.

There is also realtime reporting capabilities w/ the SMS server (System Management). As a "threat" is seen, it can alert you in real time if the threat level is high enough (again customizable flag).

Anyway, I can keep going on if you need me too!

Thanks!

I do really like that aspect... big ups to anybody who is ready and willing to deal with vulnerabilities in a mature manner.



Damn... it's already January... that would make my job easier

_________________
Reasonably un-nerdy blog:
americanwerewolfinbelgrade.wordpress.com/

How much are tipping point IPS devices ?

It depends on the bandwidth you want to push through it. I can range though. We spent 30k all together on our system (SMS and IDP). It varies though.

When sizing a system, the numbers on the model numbers represents actual throughput. I.e. TP-600 = 600 Mbps of throughput...

Wow Many thanks, great responses.

I'm going to have a good look at the tripping point gear now. Will let everyone know how it goes.

You might want to look at TippingPoint first...

Hahah... tripping point.

_________________
Reasonably un-nerdy blog:
americanwerewolfinbelgrade.wordpress.com/

HaHa, yes well the "r" key is right next to the "t" so I must have mashed it, and not checked it carefully enough when I typed it.

Hahaha... No worries!