SourceFire

unclerico

We use Palo Alto and with everything turned on it purrs like a kitten. We ripped our Tipping Point out. Having had experience with WatchGuard and the like over the years if you turn anything on besides the basic firewall/content control you'll bring the box to its knees. I don't know if their architecture has changed and actually started using dedicated hardware to run those other services, but most of the time its bolt-on crap that is done in software. I am interested in looking at Sourcefire as well and I know they're doing something in Minneapolis here soon so maybe I'll see some of you there...

docrice

Could you describe your reasons for moving away from TippingPoint? Was it one of the current generation of models? I'm evaling a unit right now (I got other vendors coming in soon) and I'd like to know your experience with them. One of their major selling points is their vulnerability research team's proactive nature and many contributions / notifications to software businesses who release security fixes.

Did you feel confident to put the IPS inline out of the box or did you take a while and kept it in monitoring-only?

higherho

@Bl8ckr0uter

Sorry for the lack of a PM yet I'm not sure if you saw my post in another thread you were talking in but Individual I was trying to get in touch with will not be in until this week. Though it looks like someone here in this thread gave you some great detail. If I find anything else out I will send it your way.

SourceFire is great (the best) but can be expensive depending on your environment.

SephStorm wrote: »

ive had a thread on the mcafee forums searching for a review of MHIPS, no action. Apparently no one wants to review it on their forums . Just a bunch of threads about Uninstalling HIPS, HIPS not working...

Anyway, I would like to see one.

If you set it up to govt security standards / settings it can do ALOT of greatness. But most people just turn on the settings and think its going to work without going through a tuning process. You have to tune your environment before setting up HIPS. I sent you a PM for an example (I've been using it for a little over a year now).

unclerico

docrice wrote: »

Could you describe your reasons for moving away from TippingPoint? Was it one of the current generation of models? I'm evaling a unit right now (I got other vendors coming in soon) and I'd like to know your experience with them. One of their major selling points is their vulnerability research team's proactive nature and many contributions / notifications to software businesses who release security fixes.

Did you feel confident to put the IPS inline out of the box or did you take a while and kept it in monitoring-only?

You know, it wasn't because of its capabilities or that it was giving false positives or anything like that. It was because it was an older 400 series that only provided 400mbps of throughput. It was not sized appropriately and proved to be a true bottleneck.

Zartanasaurus

Holy crap, Sourcefire is expensive if you want to do 10G.

NightShade03

Zartanasaurus wrote: »

Holy crap, Sourcefire is expensive if you want to do 10G.

That's just because 10 GB is "high end" right now. In 2 years when 20GB and 40GB are the common links, a 10GB deployment won't cost anything

docrice

Based on opinions from others in the field as well as my own evaluations, the reason why "quadrant leaders" like Sourcefire are expensive is because 1) they can get away with it, which probably means 2) their solutions are effective, or at the very least 3) they convince enough people through slick marketing to lure them into false impressions. And I don't think it's false impressions. Intrusion prevention is still a relatively niche market compared to firewalls.

Having a dedicated team of vulnerability researchers is expensive, and being able to react to new threats, track them, update existing rules / filters, find undiscovered vulnerabilities, and keep creating new generations of cutting-edge enterprise-class appliances is no walk in the park. On top of that, these appliances (sometimes using specialized ASICs and FPGAs) must meet stringent reliability and performance requirements, block just about all the bad stuff, and leave all of the good stuff alone when in active / inline mode. Very tall order. And it's never perfect.

I'm in the middle of doing evals for IPS solutions myself (including Sourcefire) and yes, these things have price tags that even a Jedi mind trick won't wave away. On top of that, you have to start thinking about taps (even distributed taps, bypass taps, virtual taps, etc.), switch hardware which provides the necessary SPAN throughput, etc., and you're really starting to play in the big-boy leagues. But to do it right, that's what's required in this day and age when you're talking about high-availability services with no downtime. Also in a distributed environment, you'll need more than one sensor ... many times dozens or more depending on the number of datacenters and remote offices in scope, monitoring and compliance requirements, and the amount of required throughput / latency after all the filtering and packet inspection is factored in. While firewalls have a lot of buttons and knobs to turn, IPS is practically unlimited when discussing inspection variances, reporting, updating, and on and on. Recommended Friday night parties for every geek.

I attended a Palo Alto Network user group meeting last week, and while I'm excited about eventually looking at these, I don't think they necessarily play enough in the intrusion prevention space yet to consider using them over dedicated IPS solutions. PAN seems more of an application-focused appliance while intrusion prevention has a different set of expectations (although they seem to be in the same ballpark on the surface).

10G-anything can be pretty expensive. Take a look at 10G-capable distributed taps and you'll start to feel that 1G interfaces on firewalls are "wow!cheap!"