I am trying to implement the ISS Proventia G-series as a intrusion detection monitor (and hopefully- eventually, as an IPS blocker) into an environment with heavy use of Citrix and Terminal Services sessions.
I've noticed that there is a gap of service when the Proventia G-series goes through a "change state" (such as applying updates, changing policy, applying response, or even a power down, or power up). The most recent firmware *(1.0_2004.0524_00.01.03) has been applied, and the units are running SR 4.3. This definitely improves that change state time (from approx 3 seconds) to "typically less than 1 second" (depending on the environment), and it also cures some (CRC) transmission errors that may have been present in original firmware (but may have only affected certain environments). At this point, I'm led to believe that the change state gap is as good as its going to get, at "less than 1 second". However, in my testing this still drops Citrix sessions. This leads to a concern about all TCP session related communications, such are remote access terminal sessions, VPN, and other such. Has anyone had identified other sessions that may be affected? The problem is that a change stat of this nature will usually always disrupt a Citrix session, and frequently disrupts Windows terminal services sessions. Because our environment delivers these (Citrix & Windows Term Srvcs) with a specific SLA, the disruption in service afforded by the change-state gap on the Proventia G in not tolerable. Does anybody else have Proventia G deployed in an environment with heavy Citrix usage? If so, what product enhancements or procedural modifications have been employed to make the Proventia G viable in an environment like this? Does any one know of any other work around that would enable the Proventia G series viable to work seamlessly in an environment where a "1 second" change state gap can impact the delivery of services? I'm confident that other enterprises are using the Proventia G in environment with a high sensitivity with the brief gaps in service. I just need to provide a technical resolution, or procedural work around, or even some slick sales talk that would address the concerns of management. How do other IPS products on the market afford the change-state needed to update signatures, etc? How about other network infrastructure products, that may not be ISS or security related, that impose a brief gap? How would work-arounds be applied to something like that? Any information provided that would address these concerns would be appreciated. Dan Widger 713\892-3471 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
