OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
RE: IPS - Cisco vs. McAfee vs. Tippingpoint

From: C-Info (c-infoblaisnet.com)
Date: Thu Jul 30 2009 - 15:01:21 CDT

A few years ago I worked on a project with a large ISP regarding DDoS
mitigation. What we found was that it was nearly impossible to mitigate a
serious DDoS attack from the customer end. Usually the pipe to the customer
from the ISP was totally full of attack traffic - so trying to stop this at
the customer site was simply not possible.

You really need to work with the ISP and ensure that they have some
mechanism (we used Peakflow SP and another product)to help stop the flow of
traffic upstream of your connection to the internet.

Although these features are nice on customer premise devices - they only
work on smaller attacks that do not flood the customers internet connection.

Curt

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Hurgel Bumpf
Sent: Thursday, July 30, 2009 3:44 AM
To: focus-idssecurityfocus.com; Gary Halleen
Subject: Re: IPS - Cisco vs. McAfee vs. Tippingpoint

Hi Gary,

thank you for your valuable input.

indeed my main focus is on protecting our systems from (D)DOS attacks. I
start to like the peakflow product more and more.

Thank you all for pointing that out!

Andre

--- Gary Halleen <ghalleencisco.com> schrieb am Mi, 29.7.2009:

> Von: Gary Halleen <ghalleencisco.com>
> Betreff: Re: IPS - Cisco vs. McAfee vs. Tippingpoint
> An: "Hurgel Bumpf" <l0rd_lunaticyahoo.com>, focus-idssecurityfocus.com
> Datum: Mittwoch, 29. Juli 2009, 15:07
> Hurgel,
>
> While I think you'll be happy with the features and
> performance of Cisco's
> IPS (especially if you are using 7.0 software, which comes
> with Reputation
> Filtering and Global Correlation capabilities), you should
> keep in mind that
> an IPS is not always the best solution for DDoS
> protection.
>
> Depending on the type and severity of the DDoS attack, the
> IPS may provide
> what you are looking for, especially if you configure it to
> block or
> rate-limit on an upstream device, like a router, switch, or
> firewall.
>
> You may also want to take a look at Arbor's Peakflow
> products, as well as
> Cisco's Guard/Detector products.  Both of these are
> designed with DDoS
> protection as primary features.  They also are
> typically deployed both at
> the customer's site, as well as upstream, so that DDoS
> traffic is never
> eating up your bandwidth to the Internet once an attack is
> detected.
>
> Gary
>
>
>
> On 7/29/09 5:25 AM, "Hurgel Bumpf" <l0rd_lunaticyahoo.com>
> wrote:
>
> >
> > Hi List,
> >
> > i need to protect a "realtime" website with an inline
> IPS from (D)DOS attacks.
> >
> > I had some bad experience with Tippingpoint UnityOne
> 2400 field test. The
> > device dropped to much sessions until all connectivity
> was lost.
> > After that no investigation was not possible as TP
> logs all attack information
> > with IP address 0.0.0.0
> >
> > The vendor excused this with the layered technology
> and passing the IP address
> > from the hardware to the logger would lead to delayed
> packages)
> >
> > This is unacceptable.
> >
> > i'm now looking forward to test a Cisco IPS 4270-20
> and a McAfee Network
> > Security 4050 appliance.
> >
> > Who has a good/bad experience with that devices? Is it
> true that all devices
> > don't log ip adresses?
> >
> > My dream appliance would be able to run like in a 7
> day learning mode which
> > counts max new sessions per second, max sessions per
> client aso. After this 7
> > days it creates a filter with +x% of the learned
> values and sets these limits
> > active.
> >
> > A big problem is that i have to install it into the
> productive system to get
> > the real values. I dont have any fixed values
> regarding the new sessions per
> > second and i cant just guess and set values and render
> the system offline.
> >
> > All information is highly appreciated!
> >
> > Thank you very much for your time,
> >
> > Andre
> >
> >
> >
> >
> >
> -----------------------------------------------------------------
> > Securing Your Online Data Transfer with SSL.
> > A guide to understanding SSL certificates, how they
> operate and their
> > application. By making use of an SSL certificate on
> your web server, you can
> > securely collect sensitive information online, and
> increase business by giving
> > your customers confidence that their transactions are
> safe.
> >
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f1
94
> >
> >
>
>

      

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by
giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f1
94

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194