[unisog] Intrusion Prevention System (IPS) @ University

Joel Esler joel.esler at me.com
Mon Aug 16 12:33:35 GMT 2010

I usually try and not do this on this list, but seeing as I am a vendor (Sourcefire) let me add my two cents.

The amount of users really shouldn't matter when it comes to IPS.  At all.  In fact, none of your below criteria are big selection points.  We, as IPS vendors, can all do all three of those depending on how big of a box you want to buy.

The difference is features.  

Can you read the rules?  
Can you write your own?
What kind of documentation is provided for the rules?
How oftern are they updated?
How advanced (or granular) is the interface?

200 Mbps is a very easily achieveable number.  It's only when you get up in the >10 Gig space where the air gets really thin in the IPS vendor space.


On Sun, Aug 15, 2010 at 05:11:31PM -0400, Vijay Sarvepalli wrote:
> Tippingpoint is good for performance at the scale where you are talking about.  The SMS management is also reasonably easy.  However, you loose granular control with Tippingpoint and reporting interface is poorly designed.
> I am not as familiar with cisco IPS, but from early testings..
> I remember Cisco IPS to be not great for performance.  The management also is not very friendly.
> Note IPS does not remove your need for other monitoring.  TippingPoint type products provide good 1st level filtering which block lots of generic threats and scripted "probing" or reconnaissance to your environment.   That is all they can do.  But they do make a good business case for "automated filtering" of level 1 and level 2 threats.
> Vijay 
> From: Zamri Besar 
> Sent: Sunday, August 15, 2010 12:57 PM
> To: unisog at lists.dshield.org 
> Subject: [unisog] Intrusion Prevention System (IPS) @ University
> Dear all,
> At this moment, I'm in the middle of evaluating potential network IPS for my company, and two candidates are HP Tipping Point and Cisco IPS. As I do believe most of you in unisog deploy same or different products, therefore may I seek your help for advices and comments regarding any deployment of IPS in your university?
> Some of criteria are:
> 1. More than 6000 end-users online concurrently
> 2. IPv4 and IPv6 support
> 3. Internet bandwidth, as example is 200Mbps
> Thank you and have a nice day!

More information about the unisog mailing list