>>> Hallo Listers,
Hello Mungai,
>>>
>>> *(First of all, apologies for a long email)*
>>>
>>> This is mainly meant for the Network or Security Engineers in Telco/ISP
>>> environments out there.
>>>
Not in ISP, may be you should null dev this response :)
>>> I work in a Telco (mainly VoIP) and we are looking to buy Big Fat
>>> Firewalls with IDS/IPS features with throughput greater than 40Gbps
>>>
>>> Reason for this high perfomance requirement is that we want to move VoIP
>>> traffic (SIP/RTP) behind the Firewalls to be able to do IDS/IPS inspection
>>> of this traffic which is very latency sensitive.
>>>
>>> I have done a lot of research around and even contacted the 2 most popular
>>> Firewall vendors Cisco/Juniper but am NOT too impressed so far...
I think its because you are looking for a single hardware to do both
the network and IDS task. In my hubby opinion, you may find a better
and cheaper solution by just looking for a firewall that can handle
the above traffic easily and just perform the IDS out of band.
This setup is better for a number of reasons.
- Unlikely to increase latency. I really do not think there is a
network equipment that can do IDS effectively out there unless you
massively oversize it. And IDS on network equipment are never as
complete as dedicated IDS, even from the same vendor, the last time I
looked at it
- IDS are still really noisy and most of their flags are mainly false
positives. I would easily say over 60% of their alerts are false
alerts and that could be one of the reason they are not widely
implemented. To make it practical, you have to learn your traffic,
keep changing its signature and rules often to keep the false positive
down. This would not be easy if the IDS is also the firewall. An out
of band IDS therefore offer you the flexibility of frequently teaching
your IDS. You also get an ability of using lots of memory and CPU as
IDS are memory bound.
- Until IDS become reliable, I would never use IPS. That's just
looking for trouble for no good reason. Actually, I am curious if
there is any IDS out there that does a lot of VOIP profiling. There
is not need of implementing an IDS against VOIP traffic if 80% of the
time, it will be checking for problem that only exist in none VOIP
traffic
William
>>>
>>> The highest demands that we have are on the following IDS/IPS
>>> functionalities:
>>>
>>>
>>> 1. Block SIP brute force registrations (Easy to Implement)
>>> 2. Ability to detect and block SIP fraud calls (toll fraud) by
>>> performing the following deep packet inspection tasks:
>>> - Setting a threshold of calls per calling number to destination
>>> number and blocking calls that exceed this threshold.
>>> - Alternatively the VoIP IPS should be able to do the above
>>> automatically e.g. learn calling patterns of Numbers automatically and be
>>> able to blacklist offending SRC IP/SIP URI when certain thresholds are
>>> reached (and removing this ban after some time)
>>> 3. Ability to detect and mitigate IP Telephony SPAM (SPIT)
>>>
>>>
>>> That said, I have 2 ideas of how to implement the above:
>>>
>>>
>>> 1. *Put everything behind the new Firewalls (but then the FW in
>>> question has to have proper IDS/IPS features to automatically detect the
>>> above VoIP attacks and block them)*
>>> 2. *Install normal Enterprise class Firewalls (without IDS/IPS) and
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20110721/b21da719/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 21 Jul 2011 23:09:54 +0300
> From: Samuel Wachira <wachirasam@gmail.com>
> To: Skunkworks forum <skunkworks@lists.my.co.ke>
> Subject: [Skunkworks] Safaricom or KIXP down - cannot access local
> websites
> Message-ID:
> <CAF=hmyjC9qbsuaSHr4Wg1asWv3RnTYm4+=75jqXZQ7Dk+k7p-g@mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Skunk/ ettes..
> Am using the newer ZTE modems from Safaricom.
> A tracert and ping to any locally hosted content is bouncing seriously.
>
> Interestingly, sites hosted outside kenya are accessible
> See attached...
>
> Is it me (my modem on safcom) or is there a problem with KIXP??
>
> Sam
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20110721/1ec61d0c/attachment.htm>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: safcom.GIF
> Type: image/gif
> Size: 146131 bytes
> Desc: not available
> URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20110721/1ec61d0c/attachment.gif>
>
> ------------------------------
> Skunkworks Server donations spreadsheet
> http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&hl=en
> End of Skunkworks Digest, Vol 17, Issue 307
> *******************************************