?
Solved

IDS Module for a Cisco 6509 blade switch

Posted on 2004-10-09
3
Medium Priority
?
830 Views
Last Modified: 2011-10-03
This past year we purchased and installed a Cisco 6509 blade switch and two other 4000 series blade switches. This next year I'm considering purchasing the IDS module.  

If you're currently using this product could you please give me your opinion on this product. Your answers will no doubt trigger some addtional questions from me.

Thanks!
0
Comment
Question by:jhhaley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 750 total points
ID: 12269974
The IDS module is pretty good, but what exactly will you be using IDS for ?
It's a forensics tool, and should be considered nothing else.  Although it supports TCP resets and session termination, there are sooooo many false positives generated by such things you would never ever want to turn these on, so in effect, most IDS purchasers are left with an advanced sniffing box.
Even Gartner recommend that companies should no longer make large investments in IDS.
The way forward is inline IPS - false positives are vastly reduced and you can actually take action and start blocking anomalous traffic without killing valid sessions.
..and yes, I've used the blade and all other 42xx Cisco IDS's.  Don't underestimate the time you need to set these things up, plus the 24/7 monitoring you would inevitably need to stay on top of things.
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12282402
Can you provide a recommendation on an inline IPS or point me to a best of breed so I read up on it?

I've snort running, but I thought the module might actually give me another layer of protection. However I've been looking more at an IPS system and the module is not cheap. The money might best be spend elsewhere.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12285537
Performance is a crucial part of any IPS.  The device has to be fast enough to break up the packet, analyse it, and reassemble it with minimal latency.  This is even more important when you have large amounts of data, in either an enterprise or carrier-level network.  ..and SUPER-important if you're under a DDOS attack and need the raw processing power to ditch malicious packets in favour of legitimate ones.

Choice of an IPS will depend on:

1)  What resources you want to protect
2)  How commercially sensitive the downtime of these resources are (eg an online gaming company cannot afford any downtime, whereas www.joepublicshomepage.com probably wouldn't care...)

General recommendations would be:

1)  Never to go for an IPS that runs on an Intel platform - the processors are way too slow and not designed for network analysis (no matter what their salesmen say!)
2)  Choose an inline, self-managed IPS whereever possible for two reasons:
  a)  You will never get a favourable contract or terms and conditions from an ISP
  b)  You need to be inline to deal with fragmented packet streams and also see both ends of communication directly
 
There are many vendors whom base their IPS products on a Linux platform and run on an Intel box - Radware DefensePro, Netscreen ISP, ISS Proventia, Check Point Entercept, Webscreen.. the list goes on.  I've personally tested all of these and they do not come up to scratch as the hardware is simply not fast enough.

The ONLY product that comes top is the TopLayer IPS 5500 Attack Mitigator series - ASIC/FPGA based, gigabit capable.  I liked it so much I'm now working for them... !  ;)






0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question