[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 834
  • Last Modified:

IDS Module for a Cisco 6509 blade switch

This past year we purchased and installed a Cisco 6509 blade switch and two other 4000 series blade switches. This next year I'm considering purchasing the IDS module.  

If you're currently using this product could you please give me your opinion on this product. Your answers will no doubt trigger some addtional questions from me.

Thanks!
0
jhhaley
Asked:
jhhaley
  • 2
1 Solution
 
Tim HolmanCommented:
The IDS module is pretty good, but what exactly will you be using IDS for ?
It's a forensics tool, and should be considered nothing else.  Although it supports TCP resets and session termination, there are sooooo many false positives generated by such things you would never ever want to turn these on, so in effect, most IDS purchasers are left with an advanced sniffing box.
Even Gartner recommend that companies should no longer make large investments in IDS.
The way forward is inline IPS - false positives are vastly reduced and you can actually take action and start blocking anomalous traffic without killing valid sessions.
..and yes, I've used the blade and all other 42xx Cisco IDS's.  Don't underestimate the time you need to set these things up, plus the 24/7 monitoring you would inevitably need to stay on top of things.
0
 
jhhaleyAuthor Commented:
Can you provide a recommendation on an inline IPS or point me to a best of breed so I read up on it?

I've snort running, but I thought the module might actually give me another layer of protection. However I've been looking more at an IPS system and the module is not cheap. The money might best be spend elsewhere.
0
 
Tim HolmanCommented:
Performance is a crucial part of any IPS.  The device has to be fast enough to break up the packet, analyse it, and reassemble it with minimal latency.  This is even more important when you have large amounts of data, in either an enterprise or carrier-level network.  ..and SUPER-important if you're under a DDOS attack and need the raw processing power to ditch malicious packets in favour of legitimate ones.

Choice of an IPS will depend on:

1)  What resources you want to protect
2)  How commercially sensitive the downtime of these resources are (eg an online gaming company cannot afford any downtime, whereas www.joepublicshomepage.com probably wouldn't care...)

General recommendations would be:

1)  Never to go for an IPS that runs on an Intel platform - the processors are way too slow and not designed for network analysis (no matter what their salesmen say!)
2)  Choose an inline, self-managed IPS whereever possible for two reasons:
  a)  You will never get a favourable contract or terms and conditions from an ISP
  b)  You need to be inline to deal with fragmented packet streams and also see both ends of communication directly
 
There are many vendors whom base their IPS products on a Linux platform and run on an Intel box - Radware DefensePro, Netscreen ISP, ISS Proventia, Check Point Entercept, Webscreen.. the list goes on.  I've personally tested all of these and they do not come up to scratch as the hardware is simply not fast enough.

The ONLY product that comes top is the TopLayer IPS 5500 Attack Mitigator series - ASIC/FPGA based, gigabit capable.  I liked it so much I'm now working for them... !  ;)






0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now