[unisog] IDS Recommendations

Joel Gridley jarmaug at tufts.edu
Mon Dec 29 15:01:55 GMT 2003


We looked at the Tippingpoint IPS last summer while conducting
our own IDS/IPS evaluation.

What I found during the eval of the Tippingpoint product, other
than the fact that the SE's really need to learn about virus
protecting the laptops they bring to a site, was that it is a very
good turnkey product for non-IDS-savvy shops. At the time of
our evaluation, custom signatures were not available in the current
release of code, and what we saw of the beta release was not
very promising. You basically have to trust the idea that Tippingpoint
gives you the signatures you need. The only customization at the
time of our eval was if you alerted or blocked, or both, or neither.

If you like tippingpoint, you would LOVE intruvert's Intrushield product.
Unlike tippingpoint's asic, the intrushield asic is specifially made for 
IPS/IDS,
which gives you additional (if only barely) horsepower. The management
of the intruvert product is very impressive, very granular control over both
the signature sets and the user permissions. Custom signatures are fairly
easy to compose and implement, along with customization of intruvert
provided signatures - which is of some importance at least in my world.

Another thing that I didn't like about the Tippingpoint box, and what John
provided as a requirement was that at the time of our eval, the appliance
came with Gbic interfaces that were not interchangeable. If you had a
Gbic failed, you had to ship the whole box back to replace. The intruvert
box, you provide your own Gbics - and if you use multimode, with the
latest rev of code, you also get "fail close" (traffic continues to pass)
capabilities so your IPS does not become a point of failure. I don't believe
the Tippingpoint appliance has that capability, but it's been a while since
our evaluation.

Again, these are the findings from our evaluation of Tippingpoint, ISS,
Intruvert, and Dragon (had a hard time explaining to Enterasys that a linux
box with rivets instead of screws does not constitute a 'network 
appliance').

Intruvert won hands down. But Tippingpoint would have been right up there
had I been inclined to trust someone else to my IDS/IPS needs.

Joel Gridley, CISSP


dugbrown at email.unc.edu wrote:

>Quoting "Stauffacher, John" <stauffacher at chapman.edu>:
>
>  
>
>>All,
>>
>>I have been tasked with evaluating commercial IDS systems (our snort
>>array is nice but does not have the "blinky" factor that management
>>loves). So what are other people using and how well does it work? I
>>    
>>
>...
>  
>
>>it must have interchangeable NICs, and some sort of scalability.
>>    
>>
>
>
>Hi John,
>
>For fear of starting some sort of religious argument have you 
>considered an IPS system vs. an IDS system?  Without going into 
>possibly unnecessary detail I will say that we are using Tipping Point 
>(http://www.tippingpoint.com) and have been very happy with the results 
>and available functions.  We found the company's claims difficult to 
>believe until we tried a unit ourselves and found that it did 
>everything they claim, and with the most recent OS release our units do 
>even more.  Almost no latency and almost no false positives.  If you or 
>anyone else would like additional information please feel free to ask.
>
>Happy Holidays,
>-Doug
>  
>



More information about the unisog mailing list