[unisog] IDS Recommendations

Douglas Brown dugbrown at email.unc.edu
Mon Dec 29 15:30:38 GMT 2003

I'd like to believe we're a savvy shop having been using both Snort and 
Dragon for close to four years.

We had both Intruvert and Tipping Point on different parts of our 
network in August when the various things hit; we found Tipping Point 
performed better.  Different strokes for different folks.

You can write custom signatures for Tipping Point.

The GBICs are SFPs and are interchangeable.

They do have the fail open option.

Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Abernethy 105

Joel Gridley wrote:
> We looked at the Tippingpoint IPS last summer while conducting
> our own IDS/IPS evaluation.
> What I found during the eval of the Tippingpoint product, other
> than the fact that the SE's really need to learn about virus
> protecting the laptops they bring to a site, was that it is a very
> good turnkey product for non-IDS-savvy shops. At the time of
> our evaluation, custom signatures were not available in the current
> release of code, and what we saw of the beta release was not
> very promising. You basically have to trust the idea that Tippingpoint
> gives you the signatures you need. The only customization at the
> time of our eval was if you alerted or blocked, or both, or neither.
> If you like tippingpoint, you would LOVE intruvert's Intrushield product.
> Unlike tippingpoint's asic, the intrushield asic is specifially made for 
> which gives you additional (if only barely) horsepower. The management
> of the intruvert product is very impressive, very granular control over 
> both
> the signature sets and the user permissions. Custom signatures are fairly
> easy to compose and implement, along with customization of intruvert
> provided signatures - which is of some importance at least in my world.
> Another thing that I didn't like about the Tippingpoint box, and what John
> provided as a requirement was that at the time of our eval, the appliance
> came with Gbic interfaces that were not interchangeable. If you had a
> Gbic failed, you had to ship the whole box back to replace. The intruvert
> box, you provide your own Gbics - and if you use multimode, with the
> latest rev of code, you also get "fail close" (traffic continues to pass)
> capabilities so your IPS does not become a point of failure. I don't 
> believe
> the Tippingpoint appliance has that capability, but it's been a while since
> our evaluation.
> Again, these are the findings from our evaluation of Tippingpoint, ISS,
> Intruvert, and Dragon (had a hard time explaining to Enterasys that a linux
> box with rivets instead of screws does not constitute a 'network 
> appliance').
> Intruvert won hands down. But Tippingpoint would have been right up there
> had I been inclined to trust someone else to my IDS/IPS needs.
> Joel Gridley, CISSP
> dugbrown at email.unc.edu wrote:
>> Quoting "Stauffacher, John" <stauffacher at chapman.edu>:
>>> All,
>>> I have been tasked with evaluating commercial IDS systems (our snort
>>> array is nice but does not have the "blinky" factor that management
>>> loves). So what are other people using and how well does it work? I
>> ...
>>> it must have interchangeable NICs, and some sort of scalability.
>> Hi John,
>> For fear of starting some sort of religious argument have you 
>> considered an IPS system vs. an IDS system?  Without going into 
>> possibly unnecessary detail I will say that we are using Tipping Point 
>> (http://www.tippingpoint.com) and have been very happy with the 
>> results and available functions.  We found the company's claims 
>> difficult to believe until we tried a unit ourselves and found that it 
>> did everything they claim, and with the most recent OS release our 
>> units do even more.  Almost no latency and almost no false positives.  
>> If you or anyone else would like additional information please feel 
>> free to ask.
>> Happy Holidays,
>> -Doug

More information about the unisog mailing list