RE: [ISSForum] Intrusion Detection vs Intrusion Prevention

[Jeffrey Kok Chew Mun]

Title: Message

Hi JT,

 

Totally agree with you on the "magic box" view... then again.. it'll be more like pandora's box if you ask me.

 

That's why are planning on rolling out HIDSs to all hosts. Easier for each machine to care for themselves than to depend on one superhero to save them all.

Of coz, we vulnerability accessment scanner is definitely a must which when correlated with the HIDS events will help make sense of it all (well... at least to the junks htat we wouldn't need to take notice of)

 

cheers,

Jeff

-----Original Message-----
From: John Taylor [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 2:10 AM
To: Jeffrey Kok Chew Mun; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: CCE Net
Subject: RE: [ISSForum] Intrusion Detection vs Intrusion Prevention

Jeffrey,

 

goes back to the points I made when this lengthy discussion first began, you cannot provide true IPS/IDS whatever we call it with a "magic box" on a network, never have been able to and I don't believe ever will be ableto do.

 

It is deciding what is at risk and how best to protect it and how to manage the information we receieve.  This is where ISS score so high and why they are number one, having the capability to protect the server, the desktop and the network all correlated with System and Internet Scanner using the fusion capability of Site Protector --- It works!

 

JT

 

John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 865026 | 07730 989255

This electronic message contains information from Tolerant Systems, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately.

-----Original Message-----
From: Jeffrey Kok Chew Mun [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 29, 2002 3:26 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: CCE Net
Subject: RE: [ISSForum] Intrusion Detection vs Intrusion Prevention

Hi All,

 

I would like to share some experience that we had with Toplayer's Attack Mitigator and

give a word of advise to anyone who is going to deploy the Attack Mitigator (AM)

Our original plans was to deploy 6 units of AM into strategic network locations to provide defence against DOS, DDOS and URL/URI protection.

 

The first look of the Attack Mitigator was pretty good and offered many features that aren't avail in other network devices:

1) Session limiting based on IP or groups of IP which is very useful to protect server against legitimate traffic DOS and DDOS.

2) ASIC based URL/URI filtering to counter the floods of Nimda and Codered traffic

3) Syn floods protection with options to tweak the number of incomplete sessions before being recogised as a DOS

 

After the the first unit was installed, everything looked normal enough and the box's CPU utilization looked rather healthy too. After a couple of hours, complaints were coming from all over the campus about connections breaking, packet losses, takes a long time to connect, etc. Since the AM's CPU utilization seemed healthy, we looked elsewhere and was troubleshooting for a long time before isolating the problem to the AM.

 

After much pain, the problems were found and the following were our findings:

1) ASIC are supposed to provide extremely high throughput but the ASIC on the AM was rated to handle only 8000 sessions setup per second or 25,000 sessions setup in the event of a Syn Flood. The start of any TCP, UDP, ICMP session setup is considered the starting of a session on the AM due to "flow handling"  On an average, our campus experience about 10,000 TCP sessions setup per second. With UDP and ICMP, its way more than 10k. Thus packets were dropped at random every second

2) The CPU utilization on the AM refers to the CPU of the AM which doesn't indicate if there are any performance issues or packet drops on the AM since these are on the ASIC.

3) The DOS that we had experienced come in the magnitude of about 800k per seconds which is far beyond that of the capabilities of the AM. Toplayer's advise was to use a load balancer to load balance a cluster of AM. Taking cost out of the picture, its rediculous to deploy a farm of 10 or more AM just to handle these attacks.

4) Even with nimda and codered filters enabled on the AM, nimda and codered attacks were still slipping though the AM. It was later found this is because the AM isn't able to recognised fragmented nimda and codered traffic which is very easily done.

 

The idea behind the AM is really great and perfect for small WAN links of SMEs

However, it will not have enough juice for ISP, IDC or campus networks which are designed to handle millions of packets per seconds (even though it has GE interfaces and ASICs)

After a one week stint with the AM and Toplayer's regional engineers, the box was pulled out and all plans to deploy the AMs were scraped. Network based Intrustion Protection is definitely very useful and we are still on the lookout for suitable products for our environment.

 

cheers,

Jeffrey Kok

Systems Engineer

Computer Center

National University of Singapore

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 27, 2002 11:21 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Intrusion Detection vs Intrusion Prevention

Hi Glenn,

 

The white paper we have produced has just gone up on our web site  (the proverbial ink is still wet on the PDF!) - it is entitled 'Beyond IDS : Essentials of Network Intrusion Prevention' and can be got at through our web site at www.toplayer.com via the 'Resource Centre'

 

(I am afraid there is a customer registration form on there, if that is a problem, let me know)

 

Cheers

 

Simon

-----Original Message-----
From: Glenn Ponich [mailto:[EMAIL PROTECTED]]
Sent: 26 November 2002 11:35
To: [EMAIL PROTECTED]
Subject: [ISSForum] Intrusion Detection vs Intrusion Prevention

With all the posts I have seen lately regarding the subject line is there a white paper available that explains the difference between the two and possible pros and cons of each?

TYIA

Glenn Ponich

Network Security Administrator

Sierra Telephone

[EMAIL PROTECTED]