Stephane
What is an appliance these days !!
Answer: everything
What is a checkpoint fw
Answer a dell pc running linux
What are most IPS, If you look past the appliance label you will find
a Linux kernel/OS.
So what does this run on, a central cpu I think you will find.
How does it do its string searching, ?
Most use an agere systems string search engine, hanging off a PCI bus.
How do you ensure all traffic is coalesced to ensure it cannot evade
the string search engines signature checks.
You will find that the cpu has to deal with fragmentation and tcp reassembly.
Any true IPS must be stateful and therefore cannot just simply forward
fragments.
So when i sent in tcp fragmented garbage to these devices and try to
send in legitimate traffic to the same destination these units
generally come to a standstill.
This is why I say it is a PC architecture because it is .
Look at the vendors who failed the NSS test and you will see a common
theme here.
And look at the tools used to test it.
A managed service from anyone when used as an IDS is great because you
dont have to look at the false positives tthat they have disabled
because they are inaccurate.
What about the hundreds of people who deployed IDS without a managed
service and found it impossible to tune.
I think you will admit that the technology used by IDS vendors is
almost the same as the appliance IPS they now promote.
As a test send a 1Mb/sec synflood through any one of these devides,
You will see it trigger a synflood burt look on the dest server syn
received from the spoofed sources.
These devices are at best good for managed IDS but for 24/7/365 uptime
of your network :-)
My problem really is that they are promoting this technology for
inline protection when they can so easily become the main bottlenech
in any network.
Mick
On Wed, 09 Mar 2005 11:33:55 +0100, Stephane <stephane.d@ecologie.net> wrote:
buineach wrote:
Stephane
My opinions here are based on testing I did against all these vendors
in the IPS space.
Netscreen IDP, Checkpoint (whatever) & ISS Proventia are PC based
solution like all PC based solutions it has a bad foundation to build [...]
Sorry, what do you mean by PC based solution? ISS Proventia A and G are
appliance running a cut-down dedicated Linux kernel. By PC based you
mean Site Protector working on Windows?
5 years ago, we were sure the firewalls have to have the solution for
all the network stuffs we do not want out of an unsecure network. Force
to see it is completely wrong by the time we are having. By the level of
experience, I am almost sure ISS and its Managed Security Services are
the best to provide the 24x7 SLA we need. Furthermore, I do not trust
Cisco, Network Associates or the Yellow_Stuff since IDS and even IPS is
not their core business at all, they are just getting profits out of
their sales channels ;-) 10 years ago, ISS was already on the game,
this does the difference.
Stephane
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
