Actually, FinAckSyn; the Guard doesn't work that way. Traffic headed
into zones under protection is routed into the Guard itself, and then
various forms of antispoofing and anomaly-detection are performed to
determine whether or not the traffic is valid. Invalid traffic is
dropped by the Guard, while valid traffic is re-injected into the
network in order to continue towards its destination.
The Guard is usually configured as an on-demand device; it's only
'inline' when needed, the rest of the time, traffic follows its
normal course through the network. This type of operation ensures
that the Guard is only examining traffic when such examination is
required, and also doesn't require the network to be re-engineered in
order to induce artificial symmetry.
In the case of your SP using the Guard to protect your gaming
servers, it sounds to me as if some baselining is needed in order to
fine-tune the Guard's profiles of what constitute normal and valid
traffic to your gaming servers.
For more information on the Guard, NetFlow, and Arbor, see this URL:
http://www.cisco.com/go/cleanpipes
On Nov 24, 2005, at 10:58 AM, FinAckSyn wrote:
Hi Joel,
Cisco Guard doesn't actually 'stop' SYN packets - it
tells routers where the bad traffic is coming from,
and gets the routers to block by blackholing the
route.
So yes, may look great in a lab environment where your
Cisco 7200s are happily throwing SYN packets into
oblivion, but in the real world, both the SYN Cookie
mechanism and routing manipulations cause a lot of
problems with real world traffic.
This is where an inline device is so important -
something that can understand both ends of the
connection and work out whether it's valid or not
before throwing it away.
Our ISP uses Cisco Guard, but we tell them to turn it
off, unless absolutely necessary to protect their own
peering points, as if it's left on always, it throws
our customer's customers out of their online gaming
sessions (which is bad news for them and us!).
Regards,
Matt
--- Joel Friedman <jfriedman@datapipe.com> wrote:
Riverhead (now Cisco Guard) is by far the best
choice. We had a little in
house shoot-out where we attacked multiple vendors'
hardware and graphed
their results into the millions of packets per
second. Due to NDA's we are
not allowed to disclose which vendors, nor their
results, but I can say that
Riverhead successfully defended against more than
twice the load of its
competitors...at the time it was able to stop
approximately 1.5 million SYN
packets per second while still allowing legitimate
traffic.
IMHO there is no other choice.
--Joel
-----Original Message-----
From: Kyle Quest
[mailto:Kyle.Quest@networkengines.com]
Sent: Wednesday, November 23, 2005 2:42 PM
To: focus-ids@securityfocus.com
Subject: RE: Denial of Service: Commercial Defense
products
You should really look at Top Layer if you are
serious
about defending against denial of service attacks.
Don't even waste your time on Mazu or McAfee.
Tipping Point is suppose to get better at it
as well (they were working on some news things
the last time I had a chance to talk to one
of their top guys), but I don't know if it's
already available.
I would recommend looking at the NSS reports
(http://www.nss.co.uk/download/download.htm).
Unfortunately, the online version of the report
that includes Top Layer review is no longer
available,
but you can still buy it for a couple of bucks.
Kyle
-----Original Message-----
From: Ogle [mailto:myinfosec@gmail.com]
Sent: Tuesday, November 22, 2005 4:44 AM
To: focus-ids@securityfocus.com
Subject: Denial of Service: Commercial Defense
products
Hi,
I have an ISP customer who want to protect their
network and their
subscriber's network.
In "Internet Denial of Service: Attack and Defense
Mecahnisms" book, I
noticed 7 commercial products.
1. Mazu Enforcer by Mazu Networks
2. Peakflow by Arbor Networks
3. WS Series Apliances by Webscreen Technologies
4. Captus IPS by Captus Networks
5. MANAnet Shield by CS3
6. Cisco Traffic Anomaly Detector XT and Cisco Guard
XT
7. StealthWatch by Lancope
Since I'm new with this type of products, is there
any reference out
there to help me choose the right solution to my
customer ?
Is there any problem if I use IPS (ie: TippingPoint,
McAfee) for this
solution ?
Thanks.
___________________________________________________________
WIN ONE OF THREE YAHOO! VESPAS - Enter now! - http://
uk.cars.yahoo.com/features/competitions/vespa.html
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708
to learn more.
----------------------------------------------------------------------
--
--------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Algorithm agility is an essential feature in any Internet protocol.
-- Bruce Schneier
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
