TippingPoint

[RoadClosed]

Anyone tried Tipping Point? I have been interested for a while and even went so far as to arrange a quote. and I say again EXPENSIVE, but it's hard to place a price on security, know what I mean? One bad attack could be worth the money. But at the same time we, as trusted souls, don't want to just throw money away. After all, I have a theory, could that money I save come back to me as a bonus some day?? I would like to think YES!

First off, I have an IDS so I have to have something to goes BEYOND that. There is also Microsoft ISA server out there. Great stuff too. This Tipping Point thing does indeed look promising. After all, it does have SANS support. In fact according to all sources I have contacted, their team works hard at identifying threats and the box can be set to update new signatures every night. There are a lot of security appliances out there, and before anyone says it, I have “google”d my research. In fact I have a date in the near future to attend a real world installation of one of these boxes. It definitely pays to network around the local IT community.

So I ask, anyone got the real diddy on this thing? Is it worth trashing my significant investment in an already functioning ID System? Even though it definitely lags a bit in signature updates.

Tipping Point

[os1]

Just out of curiousity...mind me asking what the quoted price was?

[RoadClosed]

It's not fair to say because so many variables play in hand. Network size, nodes, throughput and even the balance on your books. Yes asset size plays a roll in a lot of licensing negotiations. In addition this is just "talk", meaning - what is a ballpark figure. Oh and your attitude. knowledge, salesmanship and experience even come into play.

Taking all that into consideration, a particular vender in a particular moment in space time said to me off record, around 30K. That is extremely significant, given the size of my business and it's monthly income. Definitely priced OUT of the typical SOHO market.

[os1]

That does seem like a nice little penny to pay since you already said you have an IDS in place. Id consider a few things before wanting to replace my existing IDS network.
1. what can this device do that my existing IDS network cant do?
What kind of IDS network device are you running? I havent had much experience with IDS devices besides Cisco's models.
2. What other charges will incure with this device? Im sure they will end up charging a contract to keep the device up to date. Looking at their support page, you need a contract for 24x7 support. Id also find out what this cost, since if you dont have a contract all you get is 8-5 M-F telephone and email support. Also how good is their support, in the event of a hardware failure. Will they ship you a new device no questions asked? How long does the replacement take to get there.


My initial thought would be keep the IDS network you currently have, update the signatures, and maybe look at host IDS's.

[PuReExcTacy]

Just a quick question. All the features/benefits , that this product provides:

* Stops thousands of attacks including Trojans, Worms, Viruses
* Blocks or rate-shapes peer-to-peer piracy
* Protects Web Services (Port 80 applications) from attack
* Secures Instant Messaging, VoIP, XML applications
* Delivers multi-gigabit switch-like performance
* Controls or stops traffic that is not mission critical

Couldn't you do all this with just a secure router and a good anti-virus? Why spend all that money on this, when you could easily set all this up in one linux box. Linux has routing capabilies and there are also enterprise class anti-virus solutions for it. I think you would get a bonus this year, by saving your company some money. This little magic box looks like the answer for those people to lazy to do it themselves. I'm not calling you lazy, but the type of person's using this tool are either the one's that don't have the skill to do this with open-source technologies and save money, or they are too lazy to make their networks secure with out this product.

I don't see why someone would spend all the money on this. But that's just me. I feel you can make an equal or better quality product with open-source technologies and not spend all the cash on toys we don't need. How do you feel about that?


--PuRe

[RoadClosed]

This breaks apart payload and inspects packets for signatures (updates nightly by sans.org) and works at the mac layer.

Before ever reaching the internal router or firewall. Dependent on location.

It also does not use an IP address.

[PuReExcTacy]

Originally posted here by RoadClosed
This breaks apart payload and inspects packets for signatures (updates nightly by sans.org) and works at the mac layer.

Before ever reaching the internal router or firewall. Dependent on location.

It also does not use an IP address.

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

On top of that, it doesn't cost you one red cent, and you can schedule nightly updates. I'm still really not sold on your issue. Why do you feel your case is stonger then the one I've just made?


--PuRe

[RoadClosed]

I plan on toughly testing snort. So thanks for more ammo in my pocket to get that up and running. In addition I am implementing Tiger_Shark’s recomendations in another thread:

http://www.antionline.com/showthread...hreadid=245311

The temptation for me is - this thing is like a filter. It is a doorway with no ip address between the network and the internet. It’s not just hanging of the network; it’s in line with it. And it only allows packets that meet certain rules through. Like a firewall, except most exploits are coming over open standard ports anyway and the firewall I have is powerless to stop those. ALL the solutions I have seen so far or retro-active. Meaning an event happening now, may be discovered 3 hours from now, or 3 days, or 3 weeks. All dependants on the time, discipline and expertise of the operator. Because the real issue we all face, and especially me because of my workload is this: I do not have the knowledge, the expertise and the time to set at my console and peer into the matrix and see everything that is happening in an instant. I am not Nemo. Some of you are... that I know, but I am not. I am amateur at best. (humble). And my god, to keep up on every exploit is increasingly difficult. I don't have the time to gather 4gb of logs, glance it over and say AH HAH! That looks suspicious. Although I really try to accomplish as much as possible and like most of you I take any defect in my own systems PERSONALY! That’s what makes us good!

So, the idea that another group I trust (SANS.ORG) can almost instantaneously apply signatures to propagating threats is enticing. We all trust our virus signature writers, don’t we? And when they catch a virus before inspection we feel GOOD. Also enticing are Snort and Snare and all the host of other products out there.

Currently I DO have an IDS that CAN control and shut down ports being attacked on vendor specific routers and firewalls. But I don't trust it to stop attacks against ports that are already open, at least in real time. I don't think anyone here has used one yet. The price is way to expensive now, but it’s on my radar perimeter and if it proves to be a reliable technology and they get the price to around a normal IDS cost, would I try it? Hell yes. For now, I am going the Snort/Script/Syslog server route and HOPING I can keep up with it all.

Thanks for all the info guys, I still hope someone out there has tried one of these things and can give us the real scoop on it.

[PuReExcTacy]

Originally posted here by RoadClosed
I plan on toughly testing snort. For now, I am going the Snort/Script/Syslog server route and HOPING I can keep up with it all.


Thanks for all the info guys, I still hope someone out there has tried one of these things and can give us the real scoop on it.

I'm glad to hear this. It would save your company a trememdous amount of money for you to use open-source technologies. Your sure to get that bonus when you show your company you can flex your skills in such a cost effective, method. Grab a good linux book and start soaking up everything you can.

Linux comes with some pretty powerful firewalls. There will no longer be a reason for you to discover that disallowed traffic has passed from days ago, cause now, with linux, you can set rules that if it's not explicitly allowed, it's automatically disallowed. That's just better security.

Remember, it doesn't matter what setup you decide to implement, your gonna have to spend some good amount of time review logs, but there are free ( open-source ) solutions, that can notify you in real time when there is something you should give your immediate attention.

I'm sure you'll be ok, there's hope for you yet.



--PuRe www.pureescape.net

[EaseZE]

I would have to aggree with PuReExcTacy hear. I really enjoy snort and used in conjunction with tcp/ip wrapers, it really tightens up your system. I have run automated and manual attacks against snort and used the logs to create wrapper rules to automatically deny connection if it sees certain tpes of attacks. (I read about it in Maximum Linux Security) as not to say its an original idea.