|
-
June 27th, 2003, 07:05 PM
#14
Junior Member
TippingPoint solution has the following going for it:
1) Blocks attacks instead of TCP RST or Firewall Shun
2) Eliminates false positives by writing Attack Filters to the Vulnerability not the exploit using specialized software and hardware.
- Uses Agere Payload Plus OC-48c Network Processor (2.4 Gbps)
- ASICs and Xilinx Vertex II FPGAs
- 2 GHz + Pentium 4 Management processor
This allows the box to look for uppercase, lowercase, hexcode, and unicode variants within the packet stream. The hardware can do anchored and unanchored searches, Regular Expression pattern matching, Layer 7 Application protocol decoders, IP Fragmentation, and TCP Reassembly. It can also perform statistics gathering and anomaly algorithms. All of this is instantiated in silicon, providing high accuracy at load while under attack.
3) High performance and low latency achieved due to purpose built hardware. This type of performance (up to 2+ Gbps full duplex) and low latency (<215 microseconds) can NOT be achieved with a general purpose CPU running linux, BSD, etc...
4) Consistent performance regardless of packet size (64 byte to jumbo frame) and packet type (ICMP, UDP, TCP, broadcast, multicast, etc...) Many solutions based on CPU/software have issues with latency and bursty UDP traffic. Since UDP is used for VoIP and streaming video this is NOT good.
5) High Availability modes of "Non-stop Networking" and "Non-stop Security" are configurable on a per segment (port pair) basis for failover.
6) No IP or MAC address on segments provides complete transparency on network. Ensuring that box can't be attacked on segments, and is impervious to IDS evasion techniques and tools (snot, stick, fragrouter, whisker, etc...)
7) Ability to block Peer to Peer protocols bi-directionally or just stop outbound hosting from your IP address space.
8) Bandwidth shaping/rate limiiting and Quality of Service based on layer 3-7 criteria.
So, there is a reason for the cost. If you only have a T1 to the internet and only want to protect at the perimeter then you could take the time and expense (linux is not free when you include the time spent) to use open source tools. I use linux at home and work, but the hardware has its limitations. If I am only detecting then no worries, I can sit off a span and buffer packets until the processor can get to them. If I process a packet 1 second after it is seen on the wire, the alert is 1 second late (no big deal). However, if I am inline I need to process packets at network rates in real time. Routing and performing layer 3/4 filtering (Firewall) don't require as much processing as layer 7 deep packet inspection. I know about layer 7 filtering in linux: http://l7-filter.sourceforge.net/ , but keep in mind that blocking inline (IPS) at wire rate requires much different hardware than just detecting (IDS) off of a span/mirror port or tap.
Lastly, IPS does not replace IDS, it augments it. By blocking known attacks it eliminates much of the alerts on the IDS, allowing the IDS to focus on Statistical Anomaly and Behavioral instead of just signatures. By reducing the load on IDS and Alert logs you will also more easily be able to interpret the IDS logs and the IDS will be more accurate.
Security is a process not a product and there is no magic pill, but given that you already have a Firewall, IDS, and Anti-virus in place, the next logical step would be to add Network Based Intrusion Prevention.
Hope this helps
Regards
obfuscation8
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote