[unisog] mirage counterpoint

Peter Van Epp vanepp at sfu.ca
Fri Jun 17 20:56:35 GMT 2005

On Fri, Jun 17, 2005 at 10:06:23AM -0700, Ryan Sumida wrote:
> I'm not very familiar with Argus but I've heard many good thing about it. 
> That being said, our Network group did a short eval of the Counterpoint 
> appliance about 4 months ago.  One feature that may differentiate it from 
> Argus is that it can also run active prevention mechanisms along with 
> passivly monitoring the network.  Arp manipulation and  tarpitting/honey 
> pots are among the feature sets. 
> Ryan Sumida
> Network Engineer
> CSU Long Beach
	The most interesting point at the pre CanSecWest education meeting
(other than at 1/2 FTE being by far the smallest security staffed :-)) was 
two sites that had deployed IPS (both on this list so they can correct
me if I'm misstating this). In both cases they were set to the most 
conservative block value to avoid false positives and being used to front the 
IDS (snort and argus in one case, dragon in the other) to cut down on the IDS
output rather than to do the entire job as the IPS salesman tells you (or at 
least us) it will. We did an eval on one, but in the end it couldn't handle
the asymetric routes (even with the stateful firewall disabled) that is a 
fact of life on our CA*4net/I2 and commodity internet links (simply because of
policy differences on the research networks). As seems to the case with the
other folks, even with the IPS filtering viruses in email our current virus 
detection solution was still flagging viruses. To be fair we couldn't get the
IPS stable for long enough to be able to log the viruses the current detecter
was finding to see if they had in fact been caught by the IPS (which starts
to forward traffic while it is scanning) or not. Some of the other IPS solutions
are reputed to be able to deal with asymetric routes across multiple links
(and of course argus is happy with it, and in fact will properly merge the
two streams post capture if you want) so I may try one of those, although if
we still need to do something further I'm not sure its worth it.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list