Slashdot Mirror

How does that represent a risk? Well, with a reasonably carefully designed network with internal firewalls as well as perimeter ones - probably not a great deal. (Bear in mind that 95% of organisations don't worry that much about internal threats, despite evidence to suggest that they should).

We've been beta testing a new product from 3Com that was announced last week. It's their TippingPoint X505. So far it's been a very robust hardware network appliance firewall and quite stable. The prie should be much less (probably half of what you are showing) and is pretty feature laden. It's got intrusion prevention, VPN access, full firewall, and even content management and filtering so you can block questionable content.

Also someone else mentioned it but running on a network box that runs a hardened OS is going to be more secure out of the box than running on a standard OS with the security software on top of that. You've still got to go through the OS before you hit your security software and there will be problems with the OS.

Check it out here http://www.tippingpoint.com/products_X505.html

While everything you say is true, I submit that it is not a full view of the picture. I've been studying IPS for over a year now for a government study that has recently been given the go ahead for a large scale pilot program.

Modern IPS do more than Snort does, which is more or less signature detection (please, I'm aware of the protocol anomaly stuff Snort does, but let's be honest with ourselves and say that it is limited in scope). IPS today have the concept of a "Vulnerability Filter" or "Virtual Patch" which actually understands the context of the vulnerability it is detecting, and as such is able to detect/prevent attacks with a level of granularity that is beyond simple pattern matching.

The ability to understand application protocols (Layer 7 especially) is something that evades Snort and past IPS solutions.

Admittedly, IPS is not perfect, but this is something to think about.

TINAPE (This is not a product endorsement), but I'd recommend http://www.tippingpoint.com/ as a good place to get literature on this!

I start my new job here on Monday. You can help keep me employed by buying one of these:

http://www.tippingpoint.com/

I, for one, tweaked my NetPliance (now Tippingpoint) I-Opener.

Took a Damn Small Linux, Qt-Embedded, Wireless USB, Firefox browswer and poof. A real looker that I can use in my Kitchen for my browsing needs. This is in clear violation of my Acceptable Usage Policy set forth by now defunct Netpliance.

Is the AUP enforceable? Why is it that we have to wait for the company to belly up before we can raid the hardware?

If we bought it, damn the license. Same goes for my DVD players, WinTV-HDTV, Tivos, Trio cellphones and iPODs. We're consumers who wish to spread around what we call "a GOOD THING".

Or, the ISP's can do as the smart ones have done and deploy Tipping Point begin to mitigate these attacks the moment they are detetcted on the border routers. It's smart, fast, and really good at shutting down the traffic generated by these botnets by giving the admin the ability to apply vendor-supplied templates, or to create your own. However, you'd need additional deployments inside the network to avoid fratricide, but you can't beat the intelligence behind this aproach.

Tippingpoint Intrusion Prevention System (IPS) blocks all P2P regardless of port selection.

That said, I think the real tipping point w/r/t OSS software getting mindshare and being a Big Thing is going to be via either simple devices running linux (mythTV setups sold cheaper than linux, for e.g.,) or when linux/freebsd gets a UI that is more MacOSX-like (by this I mean that you can do everything via GUI; current linux GUIs are getting closer to the simplicity and adaptability of MacOSX, but aren't going to be there for a while yet.)

Consider that most desktop systems are trying very hard to simplify things, and also consider how people raised with MS environments have trouble with a professional environment like MacOSX, just because it's not what they're used to. Not to say that it's impossible, just difficult.

For the uninitiated, IPS stands for Intrusion Prevention System. What's the main difference?

#1) IDS doesn't block bad traffic. IPS does. #2) IPS handles anomaly variants, IDS doesn't.

IPS is a new technological way of filtering traffic over the simple brain-dead IDS method.

You need to visit many of Tippingpoint's white papers to get the grift. (registration req. Just fake your email... I know, this is not an official endorsement, but I used to write IPS filters for them and my working real world experience shows that this IPS filter is more effective than any of Snort's filter.)

I would love to write more IPS variant-resistant filters for SNORT but I'm afraid to tread on TPTI's handiwork (much less if I step on the same filter). Nonetheless, the defense industry picked me up. Go figure.

IDS is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.

These guys stopped Sobig, they should be able to stop the next one that is based on this vulnerability (since the vulnerability is published, they can put out a signature that covers it in a couple of days).

I've seen this intrusion prevention work, at 2 gbps... with only a couple of millis of latency.

There's a company called Tipping Point that sells a network appliance that does basically what you're looking for. When a new attack is noticed, they provide a "Digital Vaccine", or a ruleset that drops the attack packets. I haven't tried it...But apparently their customers were protected from Slammer a couple hours after it hit the 'Net. (Not that it mattered - upstream was screwed anyway).

This company makes wirespeed "bump-in-the-wire" IDS/firewall (and I think virus checking) up to 2.1 Gbps.

No point of attack to aim at.

DoS, something we could all laugh about (soon).