RE: [Fwd: Re: [Snort-users] tippingpoint]
This is a discussion on RE: [Fwd: Re: [Snort-users] tippingpoint] within the Snort forums, part of the System Security and Security Related category; Check out our IDS test methodology in our latest reports (www.nss.co.uk/gigabitids or www.nss.co.uk/...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-17-2003
|
|||
|
|||
RE: [Fwd: Re: [Snort-users] tippingpoint]
Check out our IDS test methodology in our latest reports
(www.nss.co.uk/gigabitids or www.nss.co.uk/ids) for some ideas on how to approach this type of testing. Unfortunately you need to be prepared to spend some big bucks to create the sort of lab environment we have here, but I do know that there are quite a few places that will rent out the Spirent/Caw equipment now (I am losing track of what they are actually calling it THIS week ;o)... Way to mess with a good brand name guys!) FYI - the testing for our first IPS group test is now underway (with some VERY interesting results already!) - it will be published in December. Regards, Bob Walder Director The NSS Group ------------------------------------------------------------------------ ---------- This message is intended for the addressee only and may contain information that may be of a privileged or confidential nature. If you have received this message in error, please notify the sender and destroy the message immediately. Unauthorised use or reproduction of this message is strictly prohibited. >> -----Original Message----- >> From: snort-users-admin@lists.sourceforge.net >> [mailto:snort-users-admin@lists.sourceforge.net] On Behalf >> Of Josh Berry >> Sent: 17 October 2003 19:53 >> To: Geoff >> Cc: snort-users@lists.sourceforge.net >> Subject: Re: [Fwd: Re: [Snort-users] tippingpoint] >> >> >> What tools did you use to test these concurrent connections? >> I am currently looking for a good product to test the >> validity of vendors data sheets (in other words when they >> say it handles 100,000 connections per second I want to >> verify that it really does). >> >> >> > >> > >> > Thanks Marc. Not to get to much into tipping point sales >> speak but we >> > through 200,000 concurrent connections and about 9,000 session >> > establishments per sec at >> > the box and it did not fall over. The rough numbers we >> generated for >> > blocking >> > per sec where 265 packets per sec (dropped and blocks >> written to the >> > interfaces). Besides a hardware problem with a miniGbic, >> we didn't even >> > get it >> > to hiccup much less fall over. The signature detection is >> (hear comes the >> > sales >> > speak) all ASIC based. I will leave that for what it is >> because I don't >> > know >> > enough to really talk about the benefits of different hardware >> > architectures. >> > But it is fast! >> > >> > Please don't get me wrong. This is not a replacement for >> IDS. Even the >> > sales guy from tipping point told me that :). Deep packet >> inspection >> > and data correlation >> > are a slow process and better suited to "off" line number >> crunching (ie. >> > IDS). >> > >> > Geoff >> > >> > Marc Quibell wrote: >> >> >> >> Sounds like you have a well thought-out implemetation Geoff. My >> >> greatest "fear" of IPSes is the fact that placing a >> device in your >> >> network, towards the "top" >> >> (where all traffic goes thru), a device that has to read >> the entire >> >> contents of >> >> a packet (not just the headers)....ewwww...scary. I >> suppose it's no >> >> different >> >> than a Layer 7 firewall, but I would be more confortable >> going with a >> >> mature and >> >> real-world tested product, like maybe a cisco product. I >> gotta let you >> >> know >> >> though that we're an ISS shop and we're looking at >> Proventia real close! >> >> Currently we use host-based protection, but not on >> everything. I also >> >> use Snort. >> >> Thanks. >> >> >> >> Marc >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> gpoer@arizona.edu on 10/16/2003 08:14:03 PM >> >> >> >> To: Marc Quibell/FBFS@FBFS >> >> cc: >> >> >> >> Subject: Re: [Snort-users] tippingpoint >> >> >> >> >> >> >> >> Ok had to respond to this one :) >> >> >> >> > IPS right now is too dangerous to implement. No one in >> their right >> >> mind would > risk the network outages caused by vulnerable IPSes. >> >> >> >> Their are plenty of companies running IPS and running it >> >> successfully. Implementation of an IPS requires that you only >> >> implement signatures that have a VERY low rate of false >> positive or >> >> traffic that you just flat out don't care if >> >> it gets dropped. For example: In our testing we dropped ICMP >> >> stacheldraht Agent >> >> to Server Hello packets. It is a very easy sig to spot. the word >> >> "skillz" inside an ICMP echo reply packet. Rarely are we >> going to see >> >> that one >> >> in the wild with Business critical traffic. We also >> dropped ICMP Welchia >> >> packets, they consist of an echo request with 64 A's. A >> well known false >> >> positive for that signature is the Yahoo keep alive >> packets for Instant >> >> Messenger. We made the decision that we simply do not >> care about that >> >> traffic. >> >> >> >> While I will agree that the Gartner group needs to >> reevaluate their >> >> system for recommendations concerning technology. (don't just ask >> >> your customers, try >> >> asking some well established experts) That doesn't mean >> that IPS is the >> >> next >> >> coming of the anti-christ either (martha steward being the 1st). >> >> >> >> Geoff >> >> >> >> >> >> >> >> Marc Quibell wrote: >> >> >> >>> >> >>> >> >>>What about it? Who cares what Gartner says? They have no >> idea what >> >>>they're talking about, and the clown who wrote that artcle was >> >>>discredited by IDS >> >> >> >> pros, >> >> >> >>>when he was forced to confront them. He says IDS is dead >> because it >> >>>was >> >> >> >> useless >> >> >> >>>(too many false alerts [bullcrap, we don't have any], not >> Gigabit >> >>>capable [another lie]), not because HIDS was better. Security in >> >>>layers, this is what >> >>>it's all about. HIDS is good too. But HIDS don't make IDS >> dead! He's in >> >>> his >> >>>Ivory tower being paid to discredit IDS. Do you really think these >> >>> people who >> >>>write these criticizms actually use the product? NO! He >> also said IDS >> >>> was not >> >> >> >> an >> >> >> >>>auditing tool, but was shot down on that issue too, because it is. >> >>> >> >>>Policy Auditing is what it's used for as well, "How many >> of our users >> >>>are >> >> >> >> using >> >> >> >>>Kazaa?" -or- "Look at all of our users compromising our >> network by >> >>>using GotoMyPc!" >> >>> >> >>>What's really cool is using Crystal Reports with the Snort >> >>>database..YEAH! Do THAT with IPS! >> >>> >> >>>IPS right now is too dangerous to implement. No one in >> their right >> >>>mind would risk the network outages caused by vulnerable IPSes. >> >>> >> >>>Cheese >> >>> >> >>>Marc >> >>> >> >>> >> >>>Message: 11 >> >>>Subject: RE: [Snort-users] tippingpoint >> >>>Date: Thu, 16 Oct 2003 10:34:16 -0400 >> >>>From: "Rich Stryker" <rstryker@virtuallearning.net> >> >>>To: <snort-users@lists.sourceforge.net> >> >>> >> >>>Here is a report by the Gartner Group. It says IDS has been a >> >>>complete = failure and the host based IDS systems are the >> way to go >> >>>until the new = generation firewalls come out. >> >>> >> >>>http://techrepublic.com.com/5100-6298-5078279.html >> >>> >> >>> >> >>> >> >>> >> >>>------------------------------------------------------- >> >>>This SF.net email is sponsored by: SF.net Giveback Program. >> >>>SourceForge.net hosts over 70,000 Open Source Projects. See the >> >>>people who have HELPED US provide better services: Click here: >> >>>http://sourceforge.net/supporters.php >> >>>_____________________________________________ __ >> >>>Snort-users mailing list >> >>>Snort-users@lists.sourceforge.net >> >>>Go to this URL to change user options or unsubscribe: >> >>>https://lists.sourceforge.net/lists/...fo/snort-users >> >>>Snort-users list archive: >> >>>http://www.geocrawler.com/redir-sf.p...st=snort-users >> >> >> >> >> >> >> >> >> >> >> >> >> > >> > >> > >> > >> > ------------------------------------------------------- >> > This SF.net email sponsored by: Enterprise Linux Forum >> Conference & >> > Expo The Event For Linux Datacenter Solutions & Strategies in The >> > Enterprise Linux in the Boardroom; in the Front Office; & in the >> > Server Room http://www.enterpriselinuxforum.com >> > _______________________________________________ >> > Snort-users mailing list >> > Snort-users@lists.sourceforge.net >> > Go to this URL to change user options or unsubscribe: >> > https://lists.sourceforge.net/lists/...fo/snort-users >> > Snort-users list archive: >> > http://www.geocrawler.com/redir-sf.p...st=snort-users >> > >> >> >> Thanks, >> Josh Berry, CTO >> LinkNet-Solutions >> 469-831-8543 >> josh.berry@linknet-solutions.com >> >> >> >> ------------------------------------------------------- >> This SF.net email sponsored by: Enterprise Linux Forum >> Conference & Expo The Event For Linux Datacenter Solutions & >> Strategies in The Enterprise >> Linux in the Boardroom; in the Front Office; & in the Server Room >> http://www.enterpriselinuxforum.com >> _______________________________________________ >> Snort-users mailing list >> Snort-users@lists.sourceforge.net >> Go to this URL to change user options or unsubscribe: >> >> https://lists.sourceforge.net/lists/listinfo/sno>> rt-users >> >> >> Snort-users list archive: >> http://www.geocrawler.com/redir-sf.p...st=snort-users >> ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
