IPS - Cisco vs. McAfee vs. Tippingpoint

> I had some bad experience with Tippingpoint UnityOne 2400 field test. The device dropped to much sessions until all connectivity was lost.
> After that no investigation was not possible as TP logs all attack information with IP address 0.0.0.0
>
> The vendor excused this with the layered technology and passing the IP address from the hardware to the logger would lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true that all devices don't log ip adresses?

>
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
>
> I had some bad experience with Tippingpoint UnityOne 2400 field test. The
> device dropped to much sessions until all connectivity was lost.  After that
> no investigation was not possible as TP logs all attack information with IP
> address 0.0.0.0
>

> My dream appliance would be able to run like in a 7 day learning mode which
> counts max new sessions per second, max sessions per client aso. After this 7
> days it creates a filter with +x% of the learned values and sets these limits
> active.
>
> A big problem is that i have to install it into the productive system to get
> the real values. I dont have any fixed values regarding the new sessions per
> second and i cant just guess and set values and render the system offline.
>
> All information is highly appreciated!
>

>
> --On Wednesday, July 29, 2009 12:25:16 +0000 Hurgel Bumpf <l0rd_lunatic@...> wrote:
>>
>> Hi List,
>>
>> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
>>
>> I had some bad experience with Tippingpoint UnityOne 2400 field test. The
>> device dropped to much sessions until all connectivity was lost.  After that
>> no investigation was not possible as TP logs all attack information with IP
>> address 0.0.0.0
>>
>
> If this is true, the box was incorrectly sized for your traffic.  We've had TP inline for years and have never lost packets or connectivity.  It *is* possible to overload the device if you try to log absolutely everything and enable every filter on the box.
>
>> The vendor excused this with the layered technology and passing the IP
>> address from the hardware to the logger would lead to delayed packages)
>>
>
> What vendor?  Tippingpoint?  Or a var?  Whoever it was, it sounds like they don't know what they're doing.
>
> Not sure what you mean by this statement, but any device can be DoS'd by excessive logging or by enabling every single rule the box is capable of parsing.
>
>> This is unacceptable.
>>
>> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network
>> Security 4050 appliance.
>>
>> Who has a good/bad experience with that devices? Is it true that all devices
>> don't log ip adresses?
>>
>
> I can't imagine an IPS that wouldn't log IP addresses.  That's the entire point of the device, isn't it?  TP certainly does.
>
> It seems there's more to this story than you are giving us.
>
>> My dream appliance would be able to run like in a 7 day learning mode which
>> counts max new sessions per second, max sessions per client aso. After this 7
>> days it creates a filter with +x% of the learned values and sets these limits
>> active.
>>
>> A big problem is that i have to install it into the productive system to get
>> the real values. I dont have any fixed values regarding the new sessions per
>> second and i cant just guess and set values and render the system offline.
>>
>> All information is highly appreciated!
>>
>
> My first suggestion would be, don't put a demo/eval IPS inline.  Put it in listening mode, watch the traffic and figure out what's going on with your network without taking it down.  Had you done this with the 2400, you would have realized it was undersized without creating a disaster scenario.
>
> I don't really care what you purchase, but please do Cisco and McAfee a favor. Don't put their devices inline while your doing your evaluation.  Use them like an IDS, enable whatever you want and let the box tell you what it *would* have done had you placed it inline.
>
> Once you've found whatever it is you're looking for, you should be able to put it inline with a high degree of confidence that it will perform as expected.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.
>
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>

>
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
>
> I had some bad experience with Tippingpoint UnityOne 2400 field test. The
> device dropped to much sessions until all connectivity was lost.
> After that no investigation was not possible as TP logs all attack information
> with IP address 0.0.0.0
>
> The vendor excused this with the layered technology and passing the IP address
> from the hardware to the logger would lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network
> Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true that all devices
> don't log ip adresses?
>
> My dream appliance would be able to run like in a 7 day learning mode which
> counts max new sessions per second, max sessions per client aso. After this 7
> days it creates a filter with +x% of the learned values and sets these limits
> active.
>
> A big problem is that i have to install it into the productive system to get
> the real values. I dont have any fixed values regarding the new sessions per
> second and i cant just guess and set values and render the system offline.
>
> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre
>
>
>
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server, you can
> securely collect sensitive information online, and increase business by giving
> your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>

> On Wed, Jul 29, 2009 at 12:10 PM, Paul Schmehl <pschmehl_lists@...> wrote:
>> --On Wednesday, July 29, 2009 12:25:16 +0000 Hurgel Bumpf <l0rd_lunatic@...> wrote:
>>> Hi List,
>>>
>>> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
>>>
>>> I had some bad experience with Tippingpoint UnityOne 2400 field test. The
>>> device dropped to much sessions until all connectivity was lost.  After that
>>> no investigation was not possible as TP logs all attack information with IP
>>> address 0.0.0.0
>>>
>> If this is true, the box was incorrectly sized for your traffic.  We've had TP inline for years and have never lost packets or connectivity.  It *is* possible to overload the device if you try to log absolutely everything and enable every filter on the box.
>>
>>> The vendor excused this with the layered technology and passing the IP
>>> address from the hardware to the logger would lead to delayed packages)
>>>
>> What vendor?  Tippingpoint?  Or a var?  Whoever it was, it sounds like they don't know what they're doing.
>>
>> Not sure what you mean by this statement, but any device can be DoS'd by excessive logging or by enabling every single rule the box is capable of parsing.
>>
>>> This is unacceptable.
>>>
>>> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network
>>> Security 4050 appliance.
>>>
>>> Who has a good/bad experience with that devices? Is it true that all devices
>>> don't log ip adresses?
>>>
>> I can't imagine an IPS that wouldn't log IP addresses.  That's the entire point of the device, isn't it?  TP certainly does.
>>
>> It seems there's more to this story than you are giving us.
>>
>>> My dream appliance would be able to run like in a 7 day learning mode which
>>> counts max new sessions per second, max sessions per client aso. After this 7
>>> days it creates a filter with +x% of the learned values and sets these limits
>>> active.
>>>
>>> A big problem is that i have to install it into the productive system to get
>>> the real values. I dont have any fixed values regarding the new sessions per
>>> second and i cant just guess and set values and render the system offline.
>>>
>>> All information is highly appreciated!
>>>
>> My first suggestion would be, don't put a demo/eval IPS inline.  Put it in listening mode, watch the traffic and figure out what's going on with your network without taking it down.  Had you done this with the 2400, you would have realized it was undersized without creating a disaster scenario.
>>
>> I don't really care what you purchase, but please do Cisco and McAfee a favor. Don't put their devices inline while your doing your evaluation.  Use them like an IDS, enable whatever you want and let the box tell you what it *would* have done had you placed it inline.
>>
>> Once you've found whatever it is you're looking for, you should be able to put it inline with a high degree of confidence that it will perform as expected.
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> Check the headers before clicking on Reply.
>>
>>
>> -----------------------------------------------------------------
>> Securing Your Online Data Transfer with SSL.
>> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
>> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>>
>>
>
> -- Joel Esler | http://joelesler.net
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

>> Hi List,
>>
>> i need to protect a "realtime" website with an inline IPS from (D)DOS
>> attacks.
>
> You should not be looking at Cisco, McAfee, or Tippingpoint (or, as
> some have suggested, Sourcefire or Fortinet).  None of them
> specializes in DoS attacks, and all will give you fairly poor results
> if that's your main concern.  This is not to say that these aren't
> great products when used as designed; it's just to point out that none
> of them are designed to be very good at DoS protections.  I'm sure
> that the sales droids are happy to tell you that they're good DoS
> boxes but, as you found out, they aren't.
>
> You want to look at products that focus on DoS (and other rate-based
> attacks), probably starting with TopLayer and Arbor (someone else
> already suggested that), but also Mazu (now part of Riverbed).  There
> are also some smaller companies that have had success in this space.
> For example, one of our customers bought a DoS mitigation box from
> Riorey (http://www.riorey.com/) and they think it's the bees knees.
>
> jms
>

>
> Joel Snyder schreef:
>>>
>>> Hi List,
>>>
>>> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.
>>
>> You should not be looking at Cisco, McAfee, or Tippingpoint (or, as some have suggested, Sourcefire or Fortinet).  None of them specializes in DoS attacks, and all will give you fairly poor results if that's your main concern.  This is not to say that these aren't great products when used as designed; it's just to point out that none of them are designed to be very good at DoS protections.  I'm sure that the sales droids are happy to tell you that they're good DoS boxes but, as you found out, they aren't.
>>
>> You want to look at products that focus on DoS (and other rate-based attacks), probably starting with TopLayer and Arbor (someone else already suggested that), but also Mazu (now part of Riverbed).  There are also some smaller companies that have had success in this space. For example, one of our customers bought a DoS mitigation box from Riorey (http://www.riorey.com/) and they think it's the bees knees.
>>
>> jms
>>
> I do agree with Joel on this.
>
> Another vendor worth looking at is the radware defensepro.
>
>
> Ronny
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>

>
>
> -----Original Message-----
> From: listbounce@...
> [mailto:listbounce@...]
> On Behalf Of Hurgel Bumpf
> Sent: Wednesday, July 29, 2009 5:25 AM
> To: focus-ids@...
> Subject: IPS - Cisco vs. McAfee vs. Tippingpoint
>
>
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS
> from (D)DOS attacks.
>
> I had some bad experience with Tippingpoint UnityOne 2400
> field test. The device dropped to much sessions until all
> connectivity was lost.
> After that no investigation was not possible as TP logs all
> attack information with IP address 0.0.0.0
>
> The vendor excused this with the layered technology and
> passing the IP address from the hardware to the logger would
> lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a
> McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true
> that all devices don't log ip adresses?
>
> My dream appliance would be able to run like in a 7 day
> learning mode which counts max new sessions per second, max
> sessions per client aso. After this 7 days it creates a
> filter with +x% of the learned values and sets these limits
> active.
>
> A big problem is that i have to install it into the
> productive system to get the real values. I dont have any
> fixed values regarding the new sessions per second and i
> cant just guess and set values and render the system
> offline.
>
> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre
>
>
>      
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate
> and their application. By making use of an SSL certificate
> on your web server, you can securely collect sensitive
> information online, and increase business by giving your
> customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

> Von: Diego Garay <dgaray@...>
> Betreff: RE: IPS - Cisco vs. McAfee vs. Tippingpoint
> An: "'Hurgel Bumpf'" <l0rd_lunatic@...>, focus-ids@...
> Datum: Mittwoch, 29. Juli 2009, 11:32
> Hi
> This product can help
>
> http://www.fortinet.com/products/fortiweb/
>  
>                
>           or
> http://www.fortinet.com/products/fortigate/
>
>
> pd:    
> I hope it will not take it as spam  :S
>
> Diego
>
> -----Mensaje original-----
> De: listbounce@...
> [mailto:listbounce@...]
> En nombre de Hurgel Bumpf
> Enviado el: Miércoles, 29 de Julio de 2009 09:25 a.m.
> Para: focus-ids@...
> Asunto: IPS - Cisco vs. McAfee vs. Tippingpoint
>
>
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS
> from (D)DOS attacks.
>
> I had some bad experience with Tippingpoint UnityOne 2400
> field test. The device dropped to much sessions until all
> connectivity was lost.
> After that no investigation was not possible as TP logs all
> attack information with IP address 0.0.0.0
>
> The vendor excused this with the layered technology and
> passing the IP address from the hardware to the logger would
> lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a
> McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true
> that all devices don't log ip adresses?
>
> My dream appliance would be able to run like in a 7 day
> learning mode which counts max new sessions per second, max
> sessions per client aso. After this 7 days it creates a
> filter with +x% of the learned values and sets these limits
> active.
>
> A big problem is that i have to install it into the
> productive system to get the real values. I dont have any
> fixed values regarding the new sessions per second and i
> cant just guess and set values and render the system
> offline.
>
> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre
>
>
>      
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate
> and their application. By making use of an SSL certificate
> on your web server, you can securely collect sensitive
> information online, and increase business by giving your
> customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>
>
>
> __________ Informacin de NOD32, revisin 4286 (20090728)
> __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>

> Von: Laurens Vets <laurens@...>
> Betreff: Re: IPS - Cisco vs. McAfee vs. Tippingpoint
> An: focus-ids@...
> CC: "Hurgel Bumpf" <l0rd_lunatic@...>
> Datum: Mittwoch, 29. Juli 2009, 11:55
> Hey Andre,
>
> > i need to protect a "realtime" website with an inline
> IPS from (D)DOS attacks.
>
> That's going to be though with an IPS...
>
> > I had some bad experience with Tippingpoint UnityOne
> 2400 field test. The device dropped to much sessions until
> all connectivity was lost. After that no investigation was
> not possible as TP logs all attack information with IP
> address 0.0.0.0
> > The vendor excused this with the layered technology
> and passing the IP address from the hardware to the logger
> would lead to delayed packages)
> >
> > This is unacceptable.
> >
> > i'm now looking forward to test a Cisco IPS 4270-20
> and a McAfee Network Security 4050 appliance.
> > Who has a good/bad experience with that devices? Is it
> true that all devices don't log ip adresses?
>
> If you want to block a DDOS with an IPS, good luck with
> that :) Normally, most devices do log source and destination
> addresses. However, depending on the alert generated by the
> IPS, you still might see 0.0.0.0 as source for instance.
> This means that the alert triggered with a lot of different
> source addresses.
>
> > My dream appliance would be able to run like in a 7
> day learning mode which counts max new sessions per second,
> max sessions per client aso. After this 7 days it creates a
> filter with +x% of the learned values and sets these limits
> active.
>
> I don't think any of the systems mentioned above can
> actually do this. I'll talk in general terms as I only have
> experience with Cisco (and other IPSses you didn't
> mention).
>
> IPSes inspect traffic for defined patterns in that traffic.
> They will generally see that there's a lot of traffic when
> there's a (D)DOS (and can report some of it. E.g it will
> notice a SYN flood for instance), but if the traffic is
> legitimate (e.g. 'normal' HTTP requests to http://company.com, but coming from a lot of different
> sources) it won't "see" anything bad and can't take action
> on this traffic.
> I don't think a Cisco IPS can do statistical analysis of
> the traffic (E.g. "alert when this type of traffic has an
> 80% increase over the last 2 hours").
>
> If an IPS sees too much packets to process (legitimate or
> not), it will either drop them or pass them unanalyzed.
>
> > A big problem is that i have to install it into the
> productive system to get the real values. I dont have any
> fixed values regarding the new sessions per second and i
> cant just guess and set values and render the system
> offline.
>
> Most inline IPSes can be put inline without actually
> blocking anything, usually called learning mode or
> monitoring mode.
>
> Hope this helps a bit.
>
> -Laurens
>

> Von: David Henning <David.Henning@...>
> Betreff: RE: IPS - Cisco vs. McAfee vs. Tippingpoint
> An: "Hurgel Bumpf" <l0rd_lunatic@...>, "focus-ids@..." <focus-ids@...>
> Datum: Mittwoch, 29. Juli 2009, 13:05
> Since this is for a website, have you
> checked some of the web application firewalls like
> WebDefend?  It does learning and I think has a
> threshold to alert for new session spikes, etc.  It
> installs either in-line or not in-line but with extra ports
> available to send RST to both ends, etc.
>
> David Henning, CISSP, GCPM
> Hughes Network Systems, LLC
> Principal Security Analyst
> 301-428-5533
>
> -----Original Message-----
> From: listbounce@...
> [mailto:listbounce@...]
> On Behalf Of Hurgel Bumpf
> Sent: Wednesday, July 29, 2009 8:25 AM
> To: focus-ids@...
> Subject: IPS - Cisco vs. McAfee vs. Tippingpoint
>
>
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS
> from (D)DOS attacks.
>
> I had some bad experience with Tippingpoint UnityOne 2400
> field test. The device dropped to much sessions until all
> connectivity was lost.
> After that no investigation was not possible as TP logs all
> attack information with IP address 0.0.0.0
>
> The vendor excused this with the layered technology and
> passing the IP address from the hardware to the logger would
> lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a
> McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true
> that all devices don't log ip adresses?
>
> My dream appliance would be able to run like in a 7 day
> learning mode which counts max new sessions per second, max
> sessions per client aso. After this 7 days it creates a
> filter with +x% of the learned values and sets these limits
> active.
>
> A big problem is that i have to install it into the
> productive system to get the real values. I dont have any
> fixed values regarding the new sessions per second and i
> cant just guess and set values and render the system
> offline.
>
> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre
>
>
>

> Von: Gary Halleen <ghalleen@...>
> Betreff: Re: IPS - Cisco vs. McAfee vs. Tippingpoint
> An: "Hurgel Bumpf" <l0rd_lunatic@...>, focus-ids@...
> Datum: Mittwoch, 29. Juli 2009, 15:07
> Hurgel,
>
> While I think you'll be happy with the features and
> performance of Cisco's
> IPS (especially if you are using 7.0 software, which comes
> with Reputation
> Filtering and Global Correlation capabilities), you should
> keep in mind that
> an IPS is not always the best solution for DDoS
> protection.
>
> Depending on the type and severity of the DDoS attack, the
> IPS may provide
> what you are looking for, especially if you configure it to
> block or
> rate-limit on an upstream device, like a router, switch, or
> firewall.
>
> You may also want to take a look at Arbor's Peakflow
> products, as well as
> Cisco's Guard/Detector products.  Both of these are
> designed with DDoS
> protection as primary features.  They also are
> typically deployed both at
> the customer's site, as well as upstream, so that DDoS
> traffic is never
> eating up your bandwidth to the Internet once an attack is
> detected.
>
> Gary
>
>
>
> On 7/29/09 5:25 AM, "Hurgel Bumpf" <l0rd_lunatic@...>
> wrote:
>
> >
> > Hi List,
> >
> > i need to protect a "realtime" website with an inline
> IPS from (D)DOS attacks.
> >
> > I had some bad experience with Tippingpoint UnityOne
> 2400 field test. The
> > device dropped to much sessions until all connectivity
> was lost.
> > After that no investigation was not possible as TP
> logs all attack information
> > with IP address 0.0.0.0
> >
> > The vendor excused this with the layered technology
> and passing the IP address
> > from the hardware to the logger would lead to delayed
> packages)
> >
> > This is unacceptable.
> >
> > i'm now looking forward to test a Cisco IPS 4270-20
> and a McAfee Network
> > Security 4050 appliance.
> >
> > Who has a good/bad experience with that devices? Is it
> true that all devices
> > don't log ip adresses?
> >
> > My dream appliance would be able to run like in a 7
> day learning mode which
> > counts max new sessions per second, max sessions per
> client aso. After this 7
> > days it creates a filter with +x% of the learned
> values and sets these limits
> > active.
> >
> > A big problem is that i have to install it into the
> productive system to get
> > the real values. I dont have any fixed values
> regarding the new sessions per
> > second and i cant just guess and set values and render
> the system offline.
> >
> > All information is highly appreciated!
> >
> > Thank you very much for your time,
> >
> > Andre
> >
> >
> >
> >
> >
> -----------------------------------------------------------------
> > Securing Your Online Data Transfer with SSL.
> > A guide to understanding SSL certificates, how they
> operate and their
> > application. By making use of an SSL certificate on
> your web server, you can
> > securely collect sensitive information online, and
> increase business by giving
> > your customers confidence that their transactions are
> safe.
> > http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
> >
> >
>
>