Alert Logic IPS reviews?

itdaddy

hey guys any opinions about Alert Logic IPS?
and I have only seen IPSs before the firewall..are they after the firewall too???
I have only seen them before the firewall topology? then fwl kicks in?

what say you guys? thanks

docrice

I've seen them before and after, and it depends on specific needs of the environment. Traditionally they're placed behind the firewall. Let the front firewall do the basic port filtering and stateful inspection, then let the IPS handle whatever made it through. Otherwise the IPS has a lot of work to do, and when it comes to inline performance and payload / protocol inspection, the main worry becomes latency.

itdaddy

really....wow here HP Dell recommends before fwl and they do have solutions for after fwl. wow to me make sense before
but I get what you mean after does to....thanks man I appreciate your wisdom...thank you

docrice

I could make the argument either way. The nice thing about having the IPS in front of the firewall is that it'll be the first to knock down a lot a junk packets, can provide reputation-based discrimination to further reduce inbound traffic load, look for protocol evasion tactics which might bypass firewalls, and if there are other service networks parallel to the firewall it can also provide umbrella coverage and policy enforcement at a single choke point.

The downside to this is that in many cases NAT is done at the firewall and the IPS won't see the real / inside source address of a client who is sending out malware or responding to C&C systems. You also have to be very, very careful about what rules / signatures / filters (different vendors term the same idea different ways) are enabled to block packets since an IPS is essentially a layer 7 firewall that nobody fully trusts (I believe most IPS installations don't have the entire set of rules turned on for a reason), and the processing engine has to look at every single incoming packet that isn't filtered at the border router.

It also depends on the amount of nominal throughput you expect to have in your environment, plus some overhead to account for occasional the peaks and DDoS attacks. If your IPS solution has enough physical interfaces and available processing power, you could have it inline at multiple points including in front of the firewall, between intermediary zones (such as several DMZs), and perhaps at certain critical points in your inside networks. I think most good IPS systems allow you to define different sets of rule policies and map them to different sets of interfaces so you don't have a one-size-fits-all approach for every network that you're inline or passively monitoring.

The problem with an IPS vs. IDS that I've seen is that most organizations are very risk-averse. The notion of false positives become extra scary when suddenly you take IDS technology and put it inline into the traffic stream. Blocking bad traffic is good, but unintentionally blocking good traffic feels like a Career Limiting Move. So in reality, you end up with IPS devices typically running a very conservative rule set and thus having only a limited effect. In my opinion, this is why you need to augment your IPS with a much more heavily-armed (in terms of enabled detection rules) IDS to get visibility on what made it past your IPS and firewalls. IPS vendors love to talk about their low false positive rates, in which case I invite them to turn on every signature if they're so confident. It seems most customers don't opt to do that.

The way I see it, once it makes past your first-line defensive systems, then the fun starts with the IDS watching the wire and you as the analyst making the judgement calls whether the traffic is good or evil.

Chivalry1

I can't really speak on Alert Logic IPS. But I have seen many architectural topologies with IPS/IDS appliances. I have seen them before the firewall....on the firewall (UTM).....and after the firewall. Each design has Pro's and Con's. In my opinion it boils down to 3 things; to the speed of your internet connection, the IDS/IPS vendor, companies threat profile.

apr911

First you need to decide if you want an IDS or IPS. The IDS is generally quite passive, it hangs off a span port on your switch and receives a copy of every packet on the vlan assigned to the Span as where an IPS takes on a more active role, it sits inline with your network scanning each packet before passing it on.

One issue that has already been noted is throughput... This is less of an issue on an IDS device as it does not directly impact network traffic but on an IPS, 3 things could happen if the device becomes overwhelmed:

1. It fails-open, it scans as much as it can but anything it cant handle is allowed through anyway
2. It fails-safe, it scans as much as it can but it denies anything it cant handle
3. It introduces latency by scanning everything and queueing that which it cant handle

Obviously none of those 3 things are good for a network. The best one is to have it fail-open but then the IPS really isnt doing its job since it wont generate an alert on anything suspicious that it allowed through because it couldnt handle the traffic.

Generally speaking most IPS devices will give you a connection and throughput range in which they are theoretically effective. Its been my experience with almost all that the IPS devices start getting spotty with catching bad traffic as utilization approaches 80% As an IDS device is not inline with the network, it is always going to fail open or queue packets for inspection but it will not impact your network.

I work for a hosting company where we use AlertLogic IDS devices exclusively as our IDS offering. They seem to work fairly well but then as has already been pointed out its all in the tuning. You can turn it way down to the point where it does nothing and is therefore uses or you could turn way up where it will catch a user sneezing on his keyboard (<-dramatization) thus generating so many alert as to also be useless because the alerts are ignored.

Most of the alertlogic devices Ive seen have multiple NICs installed in them so assuming it can handle the throughput they can be multi-homed if you have the span sessions available to do so on the switch.

The alertlogic customer portal isnt 100% intuitive but once you learn your way around it its pretty easy. Ive found it to be rather slow but I suspect that is due to the portal trying to populate data for 100's of IDS devices which isnt the case for most users.

Finally as for IDS/IPS placement, the way Ive seen Cisco describe it in certification material is you should have an IDS device on every segment of your network i.e.

Internet --> OUTSIDE IDS/IPS --> Firewall --> DMZ IDS/IPS --> Firewall --> INSIDE IDS/IPS

Of course most companies Ive seen dont have multi-tiered firewall preferring to hang the DMZ and Inside off the same firewall. I also never understood the outside IDS/IPS. As the edge device its going to see all traffic and given the typically large amount of illegitimate traffic it will probably generate quite a few alerts as where using a Firewall as the edge device allows you to eliminate a large amount of that illegitimate traffic first by applying access-lists.

Chivalry1

The decision for implementing IPS vs IDS and/or both is also an interesting discussion. Even though many vendors claim there products are "turn key" solution, it is in your best interest not put these products inline and turn them on..you will be sorry!! From a performance standpoint in my opinion Cisco IPS performs the best. However I have heard great things about Juniper.

Interested to hear what everyone else is using for there network IDS or IPS.....

itdaddy

wow good talk thanks guys

itdaddy

Finally as for IDS/IPS placement, the way Ive seen Cisco describe it in certification material is you should have an IDS device on every segment of your network i.e.

Internet --> OUTSIDE IDS/IPS --> Firewall --> DMZ IDS/IPS --> Firewall --> INSIDE IDS/IPS



we have it just like this. The alertlogic does this but out of the can you do not have IPS working you have to configure it after it is launched on span ports/vlans mirrroring..but the reporting and portal is very nice to work with...it seems promising but i have had some issues with training and SOC reporting issues but if I yell alot they seem t listen hahaha lol but yeh it has been very educational.and i think yo are right our ips had very generic policy templates and they did brag about no false positives but yeah if you turn more on then brag yep i agree with you ..