Best IPS system?

Hello mailing list,

I would like to buy the "best" system available to the IPS network of
my business. My company has only 200 users, all share an Internet
connection (10 m). We now use Sonicwall to connect, but we are
concerned about the hostile e-mails, malware websites, and people in
piracy. Who produces the best job? Which is most capture hacker
attempts? The product should not interfere with operations on the
network (all connection is filled by the backup off-site at nite).

Many thanks,

SB

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

That's a SUPER-loaded question. There is no easy answer. And I guarantee
you will get a wide array of answers and arguments. Questions like yours
evoke intense emotional responses from some people.

There is no one "best" solution. Each solution can be effective
depending on the expertise of your staff, complexity of your network,
etc. For example, many people will howl that all you need is an open
source solution. That may be a good fit, if you have the in-house
expertise in open-source platforms and the time to manage and maintain
it. If you don't, then a commercial appliance would be better.

Given your size, you might want to look toward a UTM (Unified Threat
Management) type appliance. They offer multiple capabilities in one
appliance. They typically will shine in one area and be mediocre in
others. Remember, no solution is best. All of them have weaknesses.

That said, this is what I would recommend (I am sure it will deeply and
profoundly offend some people, it always does):

For UTM:
Fortinet
WatchGuard
Juniper SSG

For stand alone IPS:
TippingPoint
Juniper
ISS

I do a lot of work with Fortinet and have found them to be a very good
and robust all around UTM solution. A little easier to work with than
Juniper and the Cisco ASA. The IPS in Fortinet is okay. The new MR6 code
makes it a lot easier to work with the IPS. It is a very feature-rich
platform with very good performance. The Juniper SSGs are okay. Good
overall, the IPS is a little lacking. WatchGuard is a deeply messed up
company, but they got some new owners and seem to be turning around.
Their product is very easy to use.

Another thing to keep in mind is the "best in class" problem. In an
ideal world, it is best to purchase the best solution in each class
(best firewall, best IPS, best mail filter, etc.) The problem with that
strategy is that it is very expensive to do that. This is why UTMs have
benefits. They allow you to collapse multiple applications on to a
single platform. There are, of course, drawbacks to that strategy.

Best suggestion - get demos of 2 or 3 solutions, pick the one you like
and be happy. But remember that no matter what you pick, it will have
weaknesses and there will always be somebody who tells you it was a bad
choice.

Good luck.

___________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security
www.anitian.com

 
ct&campaign=intro_sfw
> to learn more.
> --------------------------------------------------------------
> ----------
>
>
>
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Hello Shelly,

Intoto offers IntruPro IPS which is deployed in the L2 mode.
So it would be deployed along with you're your Sonicwall gateway.  
It offers very much what you want.

Binaries are available for free download from http://wiki.intoto.com/ 

Basem


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Shelly Beasley
Sent: Wednesday, May 07, 2008 3:01 PM
To: focus-ids@...
Subject: Best IPS system?

Hello mailing list,

I would like to buy the "best" system available to the IPS network of
my business. My company has only 200 users, all share an Internet
connection (10 m). We now use Sonicwall to connect, but we are
concerned about the hostile e-mails, malware websites, and people in
piracy. Who produces the best job? Which is most capture hacker
attempts? The product should not interfere with operations on the
network (all connection is filled by the backup off-site at nite).

Many thanks,

SB

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
 
Intoto Inc.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Hello

The following links might help you with this:

Gartner Magic Quadrant for Network Intrusion Prevention System Appliances ...
http://www-935.ibm.com/services/us/iss/pdf/esr_magic-quadrant-for-network-intrusion-prevention-system-appliances-1h08.pdf

Frost-n-Sullivan-World Intrusion Detection and Prevention Systems
Markets N22B-74
http://www-935.ibm.com/services/us/iss/pdf/esr_intrusion-detection-and-prevention-systems-markets.pdf

http://www.networkworld.com/buyersguides/guide.php?cat=865474

But as you can see......opinions vary :)

Regards

Farrukh
CCIE # 20184 (Security)



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

On Thu, May 8, 2008 1:09 pm, Andrew Plato wrote:
> That's a SUPER-loaded question. There is no easy answer. And I guarantee
> you will get a wide array of answers and arguments. Questions like yours
> evoke intense emotional responses from some people.

The man speaks the truth here :-)

<snip> <snip>

My two cents: ISS is atrocious. I can't stress that enough. I'm anxious to
see if IBM's purchase helps or hinders their product line.

TippingPoint and Sourcefire have the best IPSs with the smartest team of
engineers behind them. These folks actually have some passion for their
product, just not a great marketing team with glossy brochures. Never had
a problem with them. ISS products on the other hand, failed often, didn't
perform well and had terrible customer service.

As Andrew said, get some demos. Everyone in this market is itching to get
these things in your hands. Some will even stop by, hook it up and show
you. Take advantage and choose wisely.

Good luck,
Randy



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

--On Saturday, May 10, 2008 01:40:49 -0400 "Randal T. Rioux"
<randy@...> wrote:
>
> My two cents: ISS is atrocious. I can't stress that enough. I'm anxious to
> see if IBM's purchase helps or hinders their product line.
>

<aol>Me too</aol>

Would never buy another ISS product under any circumstances and devoutly wish
we could dump the boat anchor we have now (but we grunts don't make those
decisions.)

--
Paul Schmehl (pauls@...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

listbounce@... wrote:
::: -----Original Message-----
::: From: listbounce@...
::: [mailto:listbounce@...] On Behalf Of Shelly Beasley
::: Sent: Wednesday, May 07, 2008 3:01 PM
::: To: focus-ids@...
::: Subject: Best IPS system?
:::
::: Hello mailing list,
:::
::: I would like to buy the "best" system available to the IPS
::: network of my business. My company has only 200 users, all
::: share an Internet connection (10 m). We now use Sonicwall to
::: connect, but we are concerned about the hostile e-mails,
::: malware websites, and people in piracy. Who produces the best
::: job? Which is most capture hacker attempts? The product
::: should not interfere with operations on the network (all
::: connection is filled by the backup off-site at nite).
:
: On Thu, May 8, 2008 1:09 pm, Andrew Plato wrote:
:: That's a SUPER-loaded question. There is no easy answer. And I
:: guarantee you will get a wide array of answers and arguments.
:: Questions like yours evoke intense emotional responses from some
:: people.
:
: The man speaks the truth here :-)
:
: <snip>
:: That said, this is what I would recommend (I am sure it will deeply
:: and profoundly offend some people, it always does):
::
:: For UTM:
:: Fortinet
:: WatchGuard
:: Juniper SSG
::
:: For stand alone IPS:
:: TippingPoint
:: Juniper
:: ISS
: <snip>
:
: My two cents: ISS is atrocious. I can't stress that enough. I'm
: anxious to see if IBM's purchase helps or hinders their product line.
:
: TippingPoint and Sourcefire have the best IPSs with the smartest team
: of engineers behind them. These folks actually have some passion for
: their product, just not a great marketing team with glossy brochures. Never
: had a problem with them. ISS products on the other hand, failed often,
: didn't perform well and had terrible customer service.
:
: As Andrew said, get some demos. Everyone in this market is itching to
: get these things in your hands. Some will even stop by, hook it up and
: show you. Take advantage and choose wisely.

We just had a demo from Sourcefire (traditional IDS/IPS) and AirTight (wireless IPS), and just bought the equipment when the demo was over.  We had a 5-month demo with Sourcefire that was originally scheduled for 30 days, but we wanted to thoroughly test the system, and their take on it was, basically, "..test it as long as you want to..."

Support from both vendors is top-notch, both during and after the demo.  Weekly webex meetings to make sure all our questions were answered, access to 24x7 support during the demo, and even onsite engineers to help us get everything setup specifically for our environment AT NO CHARGE.

Again, this is just my experience with these 2 companies - you might hear different from others.

-Kevin

This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed.  If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Shelly, Kevin,

AirTight is great and I have already chimed in on my thoughts about
Sourcefire.  If you are going wireless as well I'd also look at AirMagnet
another great wireless vendor.

Paul Osterwald
Senior Consultant
Security & Advanced Infrastructure
AT&T Consulting
714-679-1884 (C)
714-288-2748 (O)

Connect people with their world -
EVERYWHERE THEY LIVE AND WORK -
and do it better than anyone else.  

Confidential: This e-mail and any files transmitted with it are the property
of AT&T and/or its affiliates, are confidential, and are intended solely for
the use of the individual or entity to whom this e-mail is addressed.  If
you are not one of the named recipient (s) or otherwise have reason to
believe that you have received this message in error, please notify the
sender at 714-679-1884 or 714-288-2748 and delete this message immediately
from your computer.  Any other use, retention, dissemination, forwarding,
printing, or copying of this e-mail is strictly prohibited.

 

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Kevin Reiter
Sent: Monday, May 12, 2008 1:44 PM
To: focus-ids@...
Cc: Shelly Beasley
Subject: RE: Best IPS system?

listbounce@... wrote:
::: -----Original Message-----
::: From: listbounce@...
::: [mailto:listbounce@...] On Behalf Of Shelly Beasley
::: Sent: Wednesday, May 07, 2008 3:01 PM
::: To: focus-ids@...
::: Subject: Best IPS system?
:::
::: Hello mailing list,
:::
::: I would like to buy the "best" system available to the IPS
::: network of my business. My company has only 200 users, all
::: share an Internet connection (10 m). We now use Sonicwall to
::: connect, but we are concerned about the hostile e-mails,
::: malware websites, and people in piracy. Who produces the best
::: job? Which is most capture hacker attempts? The product
::: should not interfere with operations on the network (all
::: connection is filled by the backup off-site at nite).
:
: On Thu, May 8, 2008 1:09 pm, Andrew Plato wrote:
:: That's a SUPER-loaded question. There is no easy answer. And I
:: guarantee you will get a wide array of answers and arguments.
:: Questions like yours evoke intense emotional responses from some
:: people.
:
: The man speaks the truth here :-)
:
: <snip>
:: That said, this is what I would recommend (I am sure it will deeply
:: and profoundly offend some people, it always does):
::
:: For UTM:
:: Fortinet
:: WatchGuard
:: Juniper SSG
::
:: For stand alone IPS:
:: TippingPoint
:: Juniper
:: ISS
: <snip>
:
: My two cents: ISS is atrocious. I can't stress that enough. I'm
: anxious to see if IBM's purchase helps or hinders their product line.
:
: TippingPoint and Sourcefire have the best IPSs with the smartest team
: of engineers behind them. These folks actually have some passion for
: their product, just not a great marketing team with glossy brochures.
Never
: had a problem with them. ISS products on the other hand, failed often,
: didn't perform well and had terrible customer service.
:
: As Andrew said, get some demos. Everyone in this market is itching to
: get these things in your hands. Some will even stop by, hook it up and
: show you. Take advantage and choose wisely.

We just had a demo from Sourcefire (traditional IDS/IPS) and AirTight
(wireless IPS), and just bought the equipment when the demo was over.  We
had a 5-month demo with Sourcefire that was originally scheduled for 30
days, but we wanted to thoroughly test the system, and their take on it was,
basically, "..test it as long as you want to..."

Support from both vendors is top-notch, both during and after the demo.
Weekly webex meetings to make sure all our questions were answered, access
to 24x7 support during the demo, and even onsite engineers to help us get
everything setup specifically for our environment AT NO CHARGE.

Again, this is just my experience with these 2 companies - you might hear
different from others.

-Kevin

This message may contain confidential or proprietary information and is
intended solely for the individual(s) to whom it is addressed.  If you are
not a named addressee you should not disseminate, distribute or copy this
e-mail or act upon the information contained herein.  Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------

The definition of "best" depends on your needs and deployment scenario.
However, you should check the ICSAlabs Network Intrusion Prevention
certification program.

http://www.icsalabs.com/icsa/main.php?pid=0bfb$3d9d7ea5-6b8ee967$66d7-9df12ea4

The certified products,

https://www.icsalabs.com/icsa/topic.php?tid=e6cb$36ebf2b4-fe67b635$6cb5-d675a991

  have passed a very tight certification testing that needs to be
maintained, or the product gets desertified.

http://feeds.feedburner.com/icsalabsnetworkips

Picking any of the certified products should be a safe choise.

//Opi

On Wed, 7 May 2008, Shelly Beasley wrote:

--
  Edit the fstab with ed? (n)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

check out the dragon stuff

enterasys.com




On Wed, May 7, 2008 at 6:00 PM, Shelly Beasley <shellymbeasley@...> wrote:


--
-p1g
SnortCP, ESSE-D, C|HFI, TNCP, TECP, NACP, A+, whatever..
 ,,__
o" )~ oink oink
 ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

On Sun, May 18, 2008 10:53 pm, p1g wrote:
> check out the dragon stuff
>
> enterasys.com
>

What is it that you like about the Dragon solutions? What specific
product(s) have you used/evaluated? How does it differ from other ID/PS's?

Thanks,
Randy



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

I am using their NIDS/NIPS and NBAD sensors.

THe power is in their SIM. Dragon Security Command Console DSCC (Q-1 Labs)

Leveraging vulnerability information with sig detection, host
events(windows, linux, web, FW) and (NBAD) makes for a very useful
tool.

I have not noticed a huge difference in sig based ids, the all seem to
matching against the name patterns.

The biggest difference I found was in the SIM. It aggregates the
alerts in a single offense per target IP address.

So if if a chain of events, say, port scan followed by a expolit
attempt (attempting to expolit a vuln the the system knows the target
is vuln to), follwed by unsuccessful login attempts, follwed by
sucessful, data transfer out bound, ssh over non ssh port, etc, etc.
All in 1 record alert. I can bring it up and see what really happened,
if anything. Maybe it was an attack against unix vuln dirrected to a
windows server? The NBAD sensors can be configured to collect a
portion of every packet on the wire. from 64k to 2048k ( i have tried
any higher). Usually about 1200k is enough to see what was in a given
payload. So when you are reviewing an offense you can pivot directly
to the packetraces or to the events that contributed to the offense.

You can also rate all your host by criticality.So?

Well if it a busy day, or you have multiple offenses, dscc will
prioritize your response based on the 'magnitude' of the offense.
Magnitude = Credibility of the reporting source(tuned or untuned snort
sensor), Relavance (host criticality rating 1-10), vulnerbility info
(known to have ir not have the vulnerability), etc.

I could say alot. I went as far as to buy the suite and go to training
and got certified (ESSE-D). I know that doesn't mean s@#$, but I was
very into it. Still am.

I know I have said it before, I don't want to know how people are
doing it without this type of technology.
Wasting alot of time i guess.

p1g

On Wed, May 21, 2008 at 1:54 AM, Randal T. Rioux <randy@...> wrote:


--
-p1g
SnortCP, ESSE-D, C|HFI, TNCP, TECP, NACP, A+, whatever..
 ,,__
o" )~ oink oink
 ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------