Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] Information about Proventia Change-State Gap

from [Dan Widger] Network Security [Permanent Link]
Subject: [ISSForum] Information about Proventia Change-State Gap
Date: Mon, 15 Nov 2004 12:58:00 -0600 
I am trying to implement the ISS Proventia G-series as a intrusion
detection monitor (and hopefully- eventually, as an IPS blocker) into an
environment with heavy use of Citrix and Terminal Services sessions.  

 

I've noticed that there is a gap of service when the Proventia G-series
goes through a "change state" (such as applying updates, changing
policy, applying response, or even a power down, or power up).  The most
recent firmware *(1.0_2004.0524_00.01.03) has been applied, and the
units are running SR 4.3.  This definitely improves that change state
time (from approx 3 seconds) to "typically less than 1 second"
(depending on the environment), and it also cures some (CRC)
transmission errors that may have been present in original firmware (but
may have only affected certain environments).  At this point, I'm led to
believe that the change state gap is as good as its going to get, at
"less than 1 second".  However, in my testing this still drops Citrix
sessions.  

 

This leads to a concern about all TCP session related communications,
such are remote access terminal sessions, VPN, and other such.  Has
anyone had identified other sessions that may be affected?

 

The problem is that a change stat of this nature will usually always
disrupt a Citrix session, and frequently disrupts Windows terminal
services sessions.  Because our environment delivers these (Citrix &
Windows Term Srvcs) with a specific SLA, the disruption in service
afforded by the change-state gap on the Proventia G in not tolerable.  

 

Does anybody else have Proventia G deployed in an environment with heavy
Citrix usage?  If so, what product enhancements or procedural
modifications have been employed to make the Proventia G viable in an
environment like this?  

 

Does any one know of any other work around that would enable the
Proventia G series viable to work seamlessly in an environment where a
"1 second" change state gap can impact the delivery of services?  

 

I'm confident that other enterprises are using the Proventia G in
environment with a high sensitivity with the brief gaps in service.  I
just need to provide a technical resolution, or procedural work around,
or even some slick sales talk that would address the concerns of
management. 

 

How do other IPS products on the market afford the change-state needed
to update signatures, etc?  How about other network infrastructure
products, that may not be ISS or security related, that impose a brief
gap?  How would work-arounds be applied to something like that?

 

Any information provided that would address these concerns would be
appreciated.

 

Dan Widger

713\892-3471

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISSForum] Information about Proventia Change-State Gap, Dan Widger <=
Previous by Date:  [ISSForum] Request to interrupt Internet Scanner on long scan?, Dan Widger
Next by Date:  RE: [ISSForum] Policy on Proventia A, Ballerini, Jean Paul (ISS EMEA)
Previous by Thread:  [ISSForum] Request to interrupt Internet Scanner on long scan?, Dan Widger
Next by Thread:  [ISSForum] Reducing the number of events, Mohr James
Indexes:  [Date] [Thread] [Top] [All Lists]