Solved

IDS Module for a Cisco 6509 blade switch

Posted on 2004-10-09
3
820 Views
Last Modified: 2011-10-03
This past year we purchased and installed a Cisco 6509 blade switch and two other 4000 series blade switches. This next year I'm considering purchasing the IDS module.  

If you're currently using this product could you please give me your opinion on this product. Your answers will no doubt trigger some addtional questions from me.

Thanks!
0
Comment
Question by:jhhaley
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 12269974
The IDS module is pretty good, but what exactly will you be using IDS for ?
It's a forensics tool, and should be considered nothing else.  Although it supports TCP resets and session termination, there are sooooo many false positives generated by such things you would never ever want to turn these on, so in effect, most IDS purchasers are left with an advanced sniffing box.
Even Gartner recommend that companies should no longer make large investments in IDS.
The way forward is inline IPS - false positives are vastly reduced and you can actually take action and start blocking anomalous traffic without killing valid sessions.
..and yes, I've used the blade and all other 42xx Cisco IDS's.  Don't underestimate the time you need to set these things up, plus the 24/7 monitoring you would inevitably need to stay on top of things.
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12282402
Can you provide a recommendation on an inline IPS or point me to a best of breed so I read up on it?

I've snort running, but I thought the module might actually give me another layer of protection. However I've been looking more at an IPS system and the module is not cheap. The money might best be spend elsewhere.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12285537
Performance is a crucial part of any IPS.  The device has to be fast enough to break up the packet, analyse it, and reassemble it with minimal latency.  This is even more important when you have large amounts of data, in either an enterprise or carrier-level network.  ..and SUPER-important if you're under a DDOS attack and need the raw processing power to ditch malicious packets in favour of legitimate ones.

Choice of an IPS will depend on:

1)  What resources you want to protect
2)  How commercially sensitive the downtime of these resources are (eg an online gaming company cannot afford any downtime, whereas www.joepublicshomepage.com probably wouldn't care...)

General recommendations would be:

1)  Never to go for an IPS that runs on an Intel platform - the processors are way too slow and not designed for network analysis (no matter what their salesmen say!)
2)  Choose an inline, self-managed IPS whereever possible for two reasons:
  a)  You will never get a favourable contract or terms and conditions from an ISP
  b)  You need to be inline to deal with fragmented packet streams and also see both ends of communication directly
 
There are many vendors whom base their IPS products on a Linux platform and run on an Intel box - Radware DefensePro, Netscreen ISP, ISS Proventia, Check Point Entercept, Webscreen.. the list goes on.  I've personally tested all of these and they do not come up to scratch as the hardware is simply not fast enough.

The ONLY product that comes top is the TopLayer IPS 5500 Attack Mitigator series - ASIC/FPGA based, gigabit capable.  I liked it so much I'm now working for them... !  ;)






0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now