Hi If your main concern is IPS/IDS I recommend going with Tipping Point IPS/IDS the thing with this IDS/IPS is that it doesnt slow the network down and its one of the leading IPS better than cisco and Tipping Point. On 22 July 2011 06:55, William Muriithi <william.muriithi@gmail.com> wrote:
Hallo Listers, Hello Mungai,
*(First of all, apologies for a long email)*
This is mainly meant for the Network or Security Engineers in Telco/ISP environments out there.
Not in ISP, may be you should null dev this response :)
I work in a Telco (mainly VoIP) and we are looking to buy Big Fat Firewalls with IDS/IPS features with throughput greater than 40Gbps
Reason for this high perfomance requirement is that we want to move VoIP traffic (SIP/RTP) behind the Firewalls to be able to do IDS/IPS inspection of this traffic which is very latency sensitive.
I have done a lot of research around and even contacted the 2 most popular Firewall vendors Cisco/Juniper but am NOT too impressed so far...
I think its because you are looking for a single hardware to do both the network and IDS task. In my hubby opinion, you may find a better and cheaper solution by just looking for a firewall that can handle the above traffic easily and just perform the IDS out of band.
This setup is better for a number of reasons.
- Unlikely to increase latency. I really do not think there is a network equipment that can do IDS effectively out there unless you massively oversize it. And IDS on network equipment are never as complete as dedicated IDS, even from the same vendor, the last time I looked at it
- IDS are still really noisy and most of their flags are mainly false positives. I would easily say over 60% of their alerts are false alerts and that could be one of the reason they are not widely implemented. To make it practical, you have to learn your traffic, keep changing its signature and rules often to keep the false positive down. This would not be easy if the IDS is also the firewall. An out of band IDS therefore offer you the flexibility of frequently teaching your IDS. You also get an ability of using lots of memory and CPU as IDS are memory bound.
- Until IDS become reliable, I would never use IPS. That's just looking for trouble for no good reason. Actually, I am curious if there is any IDS out there that does a lot of VOIP profiling. There is not need of implementing an IDS against VOIP traffic if 80% of the time, it will be checking for problem that only exist in none VOIP traffic
William
The highest demands that we have are on the following IDS/IPS functionalities:
1. Block SIP brute force registrations (Easy to Implement) 2. Ability to detect and block SIP fraud calls (toll fraud) by performing the following deep packet inspection tasks: - Setting a threshold of calls per calling number to destination number and blocking calls that exceed this threshold. - Alternatively the VoIP IPS should be able to do the above automatically e.g. learn calling patterns of Numbers
automatically and be
able to blacklist offending SRC IP/SIP URI when certain
thresholds are
reached (and removing this ban after some time) 3. Ability to detect and mitigate IP Telephony SPAM (SPIT)
That said, I have 2 ideas of how to implement the above:
1. *Put everything behind the new Firewalls (but then the FW in question has to have proper IDS/IPS features to automatically detect
the
above VoIP attacks and block them)* 2. *Install normal Enterprise class Firewalls (without IDS/IPS) and have a 3rd party tool e.g. SNORT doing this in real time and interacting directly with the FWs to block ongoing attacks on the fly.*
My question is to anyone out there who might have input on how best to implement this and which path you would take and why?
Your input is highly appreciated !
-- Kind Regards,
*Moses Mungai*
Oslo, Norway
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Kind Regards,
*Moses Mungai*
Oslo, Norway Mobile: +47 4626 4320