Arguments for and against putting security devices inline with our campus network connections.

Network device attributes

Router-like aspects.

  • Does it have a serial console port?
  • Does it have a seperate management interface?
  • How to configure total bypass?
  • Does it support being used in a failover pair?
  • Console support radius?
  • Can config be backed up and restored to a replacement box?
  • Multiple levels of administrative access?
  • How to upgrade or reboot on a live network?
  • What does the system do when overloaded, CPU bound, buffer starved, etc?
  • SNMP and other issues of integration with current network management.

Filtering

Firewall,anti-virus aspects.

  • Can you configure wide open access based on source/destination address, ports, etc?
  • Is each dynamic filter created logged?
  • What is the process to determine if traffic (specified by source and/or destination address) was blocked at a particular time?

Supporting Tools and Systems

  • What will it take to develop a system where system managers get reports on the status of access to their own systems?
  • Opt-out tool.

New Vulnerabilities/Costs Introduced

  • What are the DoS opportunities? I.e. can some other site spoof traffic from an external site we need to get to and cause it to be blocked?

IPS versus IDS

What things can be done in IPS mode that can't be done in IDS mode or how are things different in each mode.

  • Any threat that can be identified in IPS mode can be identified in IDS mode?
  • Any action that can be taken in IPS mode can be taken in IDS mode?
  • If the above two are true, it is a question of how promptly action can be taken in one mode versus the other and how more difficult it is to do one way versus the other.
  • We still have the issue of attacks from hosts within the "protected" part of the network.
  • A compromised host on the "protected" network could be used as platform to launch attacks from outside.

Leftovers

  • QoS related issues.
  • Automatic update issues.
  • Modes: Inline protection, inline simulation, passive monitoring
  • Some models support high-availability. The devices are connected in parallel.
  • How much configuration requires Proventia Manager? Does it require IE? It does require Java. Licensing?
  • IPS data can be rolled back. Firmware updates can not.
  • How are firmware updates installed? FTP? TFTP?
  • What updates require reboot? It appears it automatically updates and reboots if you configure it to do so.
  • What is the frequency of updates? Will we have to schedule maintenance windows often?
  • Updates can be set for download only (not install).
  • Do we have to have internet connectivity to ISS to update the appliance, i.e. can we have a local copy on a tftp server or something?
  • No labels

1 Comment

  1. Randy Marchany

    Jan 10, 2007

    An IPS unit from ISS was purchased and delivered to the ISB. It's currently sitting in its box in the warehouse.