Solved

IDS Module for a Cisco 6509 blade switch

Posted on 2004-10-09
3
823 Views
Last Modified: 2011-10-03
This past year we purchased and installed a Cisco 6509 blade switch and two other 4000 series blade switches. This next year I'm considering purchasing the IDS module.  

If you're currently using this product could you please give me your opinion on this product. Your answers will no doubt trigger some addtional questions from me.

Thanks!
0
Comment
Question by:jhhaley
  • 2
3 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 12269974
The IDS module is pretty good, but what exactly will you be using IDS for ?
It's a forensics tool, and should be considered nothing else.  Although it supports TCP resets and session termination, there are sooooo many false positives generated by such things you would never ever want to turn these on, so in effect, most IDS purchasers are left with an advanced sniffing box.
Even Gartner recommend that companies should no longer make large investments in IDS.
The way forward is inline IPS - false positives are vastly reduced and you can actually take action and start blocking anomalous traffic without killing valid sessions.
..and yes, I've used the blade and all other 42xx Cisco IDS's.  Don't underestimate the time you need to set these things up, plus the 24/7 monitoring you would inevitably need to stay on top of things.
0
 
LVL 1

Author Comment

by:jhhaley
ID: 12282402
Can you provide a recommendation on an inline IPS or point me to a best of breed so I read up on it?

I've snort running, but I thought the module might actually give me another layer of protection. However I've been looking more at an IPS system and the module is not cheap. The money might best be spend elsewhere.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12285537
Performance is a crucial part of any IPS.  The device has to be fast enough to break up the packet, analyse it, and reassemble it with minimal latency.  This is even more important when you have large amounts of data, in either an enterprise or carrier-level network.  ..and SUPER-important if you're under a DDOS attack and need the raw processing power to ditch malicious packets in favour of legitimate ones.

Choice of an IPS will depend on:

1)  What resources you want to protect
2)  How commercially sensitive the downtime of these resources are (eg an online gaming company cannot afford any downtime, whereas www.joepublicshomepage.com probably wouldn't care...)

General recommendations would be:

1)  Never to go for an IPS that runs on an Intel platform - the processors are way too slow and not designed for network analysis (no matter what their salesmen say!)
2)  Choose an inline, self-managed IPS whereever possible for two reasons:
  a)  You will never get a favourable contract or terms and conditions from an ISP
  b)  You need to be inline to deal with fragmented packet streams and also see both ends of communication directly
 
There are many vendors whom base their IPS products on a Linux platform and run on an Intel box - Radware DefensePro, Netscreen ISP, ISS Proventia, Check Point Entercept, Webscreen.. the list goes on.  I've personally tested all of these and they do not come up to scratch as the hardware is simply not fast enough.

The ONLY product that comes top is the TopLayer IPS 5500 Attack Mitigator series - ASIC/FPGA based, gigabit capable.  I liked it so much I'm now working for them... !  ;)






0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question