IPS/IDS location suggestions in Network.

ttp://uploader.futbolmex.net/files/1/network.JPG


 See link for Network design, design for redundancy and speed.

  these boxes are routers and links are 10gb.

  different network segements will be hanging off of the 4 routers at
the bottom.

  There will be an IPS higher up in the mix between the 2 top routers
  and the internets as well as other stuff.

  Main corporate network will be hanging off each of the 4 bottom switches.

  So the goal is to monitor internal traffic between 4 network segments.

  Idea of Cisco module IDS in the 2 top routers is scratched.

  So what about in-line IPS on each of the links between the 4 routers
and the 2?
  ISS has the GX6116 that runs at 6gb in filtering mode, 15gb non
filtering, hehe.
  Sourcefire just sent me an email about their 10gb solution, but I dont
  know if it has as many ports as the ISS box.

  Is this even a good location for an inline IPS? It seems like the only
  place other than the boarder where I can get any concentrated traffic,
  but at the border I cant get internal traffic.

  Any suggestions?

  Saludos

  Albert

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Hi.

For a pity I do not have an experience in implementing IPS on 10g links,
however I've been researching IBM appliances (ISS+Proventia). In practice
they can not do the deep inspection by signature patterns in protocols
which is higher
than transport layer (i.e. checking for an exploit code) at even
several G speed. Not sure if they just skip checks for packets or it
will became a bottleneck in case you try to force all packets to be
checked. You should talk with IBM specialists what set of features
will be available on that speed.

2008/3/14, Albert R. Campa <abcampa@...>:

--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

[Full disclosure: I work for TippingPoint]

Two other vendors that have 10G products are McAfee and TippingPoint. Both
vendors have 10 gig
solutions.   I can't speak for MFE, SourceFire, or ISS, but I can say that
TippingPoint has many customers
that run inline IPS up in the network where you indicate.  As a reality
check, you should ask all vendors
for several references (maybe 5) that are running the device inline, high
up in the network, and you
should call the references and see how it's going.  You learn a lot that
sales won't volunteer (or will
offer up as FUD :-) talking to other customers.

        Brian Smith
        TippingPoint




"Albert R. Campa" <abcampa@...>
Sent by: listbounce@...
03/14/2008 11:40 AM

To
focus-ids@...
cc

Subject
IPS/IDS location suggestions in Network.






ttp://uploader.futbolmex.net/files/1/network.JPG


 See link for Network design, design for redundancy and speed.

  these boxes are routers and links are 10gb.

  different network segements will be hanging off of the 4 routers at
the bottom.

  There will be an IPS higher up in the mix between the 2 top routers
  and the internets as well as other stuff.

  Main corporate network will be hanging off each of the 4 bottom
switches.

  So the goal is to monitor internal traffic between 4 network segments.

  Idea of Cisco module IDS in the 2 top routers is scratched.

  So what about in-line IPS on each of the links between the 4 routers
and the 2?
  ISS has the GX6116 that runs at 6gb in filtering mode, 15gb non
filtering, hehe.
  Sourcefire just sent me an email about their 10gb solution, but I dont
  know if it has as many ports as the ISS box.

  Is this even a good location for an inline IPS? It seems like the only
  place other than the boarder where I can get any concentrated traffic,
  but at the border I cant get internal traffic.

  Any suggestions?

  Saludos

  Albert

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 

to learn more.
------------------------------------------------------------------------




CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@....