Worst case scenario, you have 5,000 SYN Packets (equates to approx 3Mbs), all trying to establish a conection. Each of these will create a flow/connection table entry on the Unity 50, so 5,000 packets equates to 5,000 (half) connections per second. So I would always design a perimeter solution with this in mind. Remember, I'm talking worst case scenario, and not what would be in a typical stream - 5,000 connections can easily run into a gig. But it's not normal traffic we want to deal with using an IPS - it's the abnormal stuff - bad content and unacceptable rates. Start with the worst possible thing that could happen, and you've got yourself a decent security solution. Under engineer, and you've only got yourself to blame when it all goes tits up. :)
Matt --- Kurt Seifried <[EMAIL PROTECTED]> wrote: > Uhh your math is wrong. You're assuming each packet > is a new connection/etc. > I can saturate my backend 100 megabit network with 1 > connection (rsync > backups). 5,000 connections per second is a > reasonable amount of traffic > (5,000 simaltaneous emails, www sessions, DNS > queries, etc, it's certainly > possible, and chances are it will consume a > significant amount of > bandwidth). > > -Kurt Seifried > > > > An IPS should be placed in front of the firewall, > to > > provide complete network protection. > > However, the Unity 50 is quite low spec - 5,000 > > connections per second, 5,000 concurrent > connections. > > Bearing in mind most Check Point firewalls have a > > default connection table size of 40,000 (?) > > connections, then putting the Unity 50 in front of > > your firewall would be a bottleneck. > > Assuming small packet size (512bits per packet), > then > > 5,000 of these per second equates to just under > 3Mbs. > > If your Internet feed is less than this, then no > > problem. If it's higher, then the Unity 50 would > not > > be able to handle a 3Mbs pipe full of small > packets. > > You should really design your perimeter with this > > worse case scenario in mind, especially if you > have > > negotiated burst rates with your ISP and your ISP > feed > > can suddenly shoot up in usage. > > Port scans should be blocked by the firewall - all > > irrelevant ports are discarded at this point. I'm > not > > sure how the Unity 50 handles port scans, I > haven't > > played with one yet... ;) > > > > Regards, > > > > Matt > > > > > > > > > > --- Doug Fox <[EMAIL PROTECTED]> wrote: > > > >> I'm sorry for this dumb question, which may have > >> been answered many times. > >> > >> Where should one place an TippingPoint Unity 50 > IPS > >> device? Behind or in > >> front of a firewall? > >> > >> I have a/the TippingPoint behind a Check Point > >> firewall. Even though we > >> externally and internally port-scanned the > firewall > >> and the IPS many times, > >> the activity log did not contain any record of > the > >> "attacks". > >> > >> What am I missing here? Any pointers are > >> appreciated. > >> > >> Thanks, > >> > >> > > > ------------------------------------------------------------------------ > >> Test Your IDS > >> > >> Is your IDS deployed correctly? > >> Find out quickly and easily by testing it > >> with real-world attacks from CORE IMPACT. > >> Go to > >> > > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > >> > >> to learn more. > >> > > > ------------------------------------------------------------------------ > >> > >> > > > > > > > > > > > ___________________________________________________________ > > To help you stay safe and secure online, we've > developed the all new > > Yahoo! Security Centre. > http://uk.security.yahoo.com > > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > > ------------------------------------------------------------------------ > > > > ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
