Re: IPS comparison

From: Micheal Cottingham (security@michealcottingham.com)
Date: Mon Jul 25 2005 - 20:17:29 EDT


I am a customer of TippingPoint, so my opinions and thoughts won't be
exactly unbiased, but hopefully it'll help you make a decision one way
or another.

As mentioned, I am a customer of TippingPoint at my day job at a college
where I handle, well, the security side of things. As an example, before
we deployed TippingPoint, we had people enumerating SAM left and right
and center (don't get me started on the null sessions :P). Lockouts were
frequent and caused serious problems. It was becoming DoS proportions as
we'd have to take what added up to be quite a bit of time each day to
unlock accounts and answer phone calls asking why accounts were locked
out. Eventually we decided it was time for an IPS. After reviewing
several (I don't recall ever coming across Top Layer though in my
research :/) solutions, we decided on TippingPoint. As soon as we fully
deployed TippingPoint, the lockouts ceased. That in my opinion pays for
itself. However, one other incident worth mentioning. We at one point
had to remove one of the units from the boundary to do some testing.
That night while at another campus trying to figure out some "internet
problems" I tried logging in to one of the AD servers and it was as slow
as could be. 30 minutes later it logged in. The next morning I arrive to
find my boss and coworkers going through the servers and equipment
trying to find out what's causing the downtime. After starting up
Sniffer, we found network usage was at the max on one of the switches.
Turns out one of the "miscellaneous" servers we used for testing a
backup solution that used their version of MSSQL was hit by slammer. I
know it was blocked before because I watched the logs in the IPS. Now,
most, if not all IPS solutions you'll find will offer you this, but that
was my experience. As for the comments about NMS, syslog, etc. I can
assure you TippingPoint supports those. Well, I've never used the NMS,
but I do use the syslog capabilities. All in all, I'm very pleased with
them. Their support is very quick to pick up the phone. I think the
longest I've ever waited was 30 minutes, and I think that was because of
an emergency meeting on their end, and that happened only once. Wait
times other than that have always been 2 minutes or less. Like I said,
I'm obviously biased, but I've had very good experiences with their
product. :)

Deployment is a breeze. You plug it in, let it boot up, and switch a
couple of network wires, and there you go. You can manage the devices
from their builtin webserver, but I've found their SMS server to make
life so much easier. At any rate, at the very least I hope that helps to
answer a few questions. :)

Hope that helps.

Micheal

Williams, Cameron wrote:

>My two cents:
>
>There have been several industry magazine reviews (SC Magazine,
>Information Security, etc.) of both of the vendors that you are
>specifically interested in. In my opinion, both vendor's products offer
>a robust signature based, as well as anomaly based protection.
>
>Where I think the industry mags fall short in their analysis are in the
>areas of ease of deployment, throughput, hardware reliability, and
>pricing. Hardware reliability is key, since these devices will most
>likely be placed in-line in your network. Most of the vendors out in
>the market have very little information with regards to this piece.
>
>In addition, one of the products may be better suited for deployment in
>a specific segment of the network. For instance, you may consider a
>lower throughput rated IPS for your perimeter network protection, as
>opposed to a GIG throughput IPS for a deep LAN deployment (at the core,
>providing protection on separate VLANs).
>
>One more usually overlooked place is in NMS features. Most of the
>products have an optional management station(usually requiring some
>additional cap-ex) that you may not want to use. The NMS features that
>you may want from a standalone box would include SNMP/SYSLOG, etc. Some
>vendors fall short in this arena as well.
>
>Hope this helps.
>
>Regards,
>
>Cameron Williams
>Security Assurance Manager
>Virtela Communications
>p: 720-475-4034
>f: 720-475-4035
>5680 Greenwood Plaza Blvd.
>Greenwood Village, CO 80111
>cwilliams@virtela.net
>
>
>-----Original Message-----
>From: bw [mailto:bjshhsjb@yahoo.com]
>Sent: Monday, July 25, 2005 10:52 AM
>To: pen-test@securityfocus.com
>Subject: IPS comparison
>
>I have been tasked with comparing IPS appliances. I am seriously looking
>at top layer's product line and tipping point. Does anyone have a
>spreadsheet or know of any tool they would be willing to share for
>comparing products. Im new to this so any help would be appreciated
>
>thank you
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:38 EDT