Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: location of an IPS

from [FinAckSyn] Network Security [Permanent Link]
Subject: Re: location of an IPS
Date: Fri, 21 Oct 2005 09:22:51 +0100 (BST) 
Worst case scenario, you have 5,000 SYN Packets
(equates to approx 3Mbs), all trying to establish a
conection.
Each of these will create a flow/connection table
entry on the Unity 50, so 5,000 packets equates to
5,000 (half) connections per second.
So I would always design a perimeter solution with
this in mind.  
Remember, I'm talking worst case scenario, and not
what would be in a typical stream - 5,000 connections
can easily run into a gig.
But it's not normal traffic we want to deal with using
an IPS - it's the abnormal stuff - bad content and
unacceptable rates.
Start with the worst possible thing that could happen,
and you've got yourself a decent security solution.
Under engineer, and you've only got yourself to blame
when it all goes tits up.  :)

Matt


--- Kurt Seifried <bt@seifried.org> wrote:


Uhh your math is wrong. You're assuming each packet
is a new connection/etc. 
I can saturate my backend 100 megabit network with 1
connection (rsync 
backups). 5,000 connections per second is a
reasonable amount of traffic 
(5,000 simaltaneous emails, www sessions, DNS
queries, etc, it's certainly 
possible, and chances are it will consume a
significant amount of 
bandwidth).

-Kurt Seifried



An IPS should be placed in front of the firewall,

to

provide complete network protection.
However, the Unity 50 is quite low spec - 5,000
connections per second, 5,000 concurrent

connections.

Bearing in mind most Check Point firewalls have a
default connection table size of 40,000 (?)
connections, then putting the Unity 50 in front of
your firewall would be a bottleneck.
Assuming small packet size (512bits per packet),

then

5,000 of these per second equates to just under

3Mbs.

If your Internet feed is less than this, then no
problem.  If it's higher, then the Unity 50 would

not

be able to handle a 3Mbs pipe full of small

packets.

You should really design your perimeter with this
worse case scenario in mind, especially if you

have

negotiated burst rates with your ISP and your ISP

feed

can suddenly shoot up in usage.
Port scans should be blocked by the firewall - all
irrelevant ports are discarded at this point.  I'm

not

sure how the Unity 50 handles port scans, I

haven't

played with one yet...  ;)

Regards,

Matt




--- Doug Fox <dfox168@hotmail.com> wrote:


I'm sorry for this dumb question, which may have
been answered many times.

Where should one place an TippingPoint Unity 50

IPS

device?  Behind or in
front of a firewall?

I have a/the TippingPoint behind a Check Point
firewall. Even though we
externally and internally port-scanned the

firewall

and the IPS many times,
the activity log did not contain any record of

the

"attacks".

What am I missing here?  Any pointers are
appreciated.

Thanks,







------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to






http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.






------------------------------------------------------------------------












___________________________________________________________

To help you stay safe and secure online, we've

developed the all new 

Yahoo! Security Centre.

http://uk.security.yahoo.com






------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to



http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.




------------------------------------------------------------------------









                
___________________________________________________________ 
To help you stay safe and secure online, we've developed the all new Yahoo! 
Security Centre. http://uk.security.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: location of an IPS, Kurt Seifried
Next by Date:  Re: Re: location of an IPS, asalo
Previous by Thread:  Re: location of an IPS, Kurt Seifried
Next by Thread:  Re: location of an IPS, Paul Schmehl
Indexes:  [Date] [Thread] [Top] [All Lists]