[c-nsp] what type of firewall/ids

Mike Butash der.mikus at gmail.com
Tue Jul 11 05:47:26 EDT 2006


Depends what kind of capacity, connections, and throughput you need 
really.  I've found the Cisco FWSM's are about the highest capacity 
firewall out there in terms of sheer connections, new connection 
setup/teardown, and overall throughput capability.  Nothing else on the 
market touches their capacity that we found, and they offer some 
built-in management though object-group use if you get creative. 
Pix/FWSM gui via pdm/adsm is limited (read worthless) for advance users, 
but I'm not a gui person so take it for what you will.  The fwsm's are a 
preference when nothing less than several gigs are required, and when 
paired to the cat6500's are capable of some very cool things.  I've run 
them with 50k+ ace's (compiled) under significant ddos's and not seen 
them blink.  Of course, this is somewhat variable on pps, new connection 
setups, etc, so caveat emptor.  ;)

I've used netscreens in the past and found their cli configuration 
somewhat hokey with use compared to pix/fwsm equivalents, though I hear 
since the juniper acquisition they've gotten better.  I could only stand 
using them via their gui at the time, which was about 4 years ago.  Of 
course, take this with a grain of salt from an old cisco guy...  Can't 
much attest to much else with the NS's short of their own reps telling 
us they couldn't touch a FWSM in terms of capacity and connections.

Riverhead/Cisco Anomaly Guards were a godsend as far as ddos protection 
if you see a lot of it, though they are quirky and require some constant 
babysitting.  Overall the appliances will take a full gig a piece 
without issue, their only limitation is protecting a large footprint of 
disparate hosts/ip's.  As with anything, they have quirks, bugs, things 
they do better than others, etc, but overall they are an excellent 
product if you are prone to random internet drive-by rapings in the form 
of DDoS's.  They do not handle layer 5 and higher exploits, don't expect 
them to...

As far as IDS, can't really go wrong with snort/sourcefire with 
commodity server hardware and good nics.  Snortcenter makes a pretty 
good aggregator of multiple sensor hosts as well.  I'd recommend using 
passive/regeneration optical taps over span sessions (netoptics brands 
work well though experience).  Monitor/span sessions come with a lot of 
caveats you'll want to avoid, although your physical fiber plant will 
get somewhat complex with taps in place - document the runs and test 
failover situations twice.  You'll save yourself something like 
overrunning the cat6500 buffers if you ever push more traffic through 
the src port than the dst ports allocated to the monitor sessions and 
crashing the box.

As far as IPS, we've used tipping points, but really have to question 
overall what an IPS offered other than pretty reports to managers of 5yr 
old exploits noted and *defended against* en masse.  I think there was 
only one situation they ever presented actual usefulness under a ddos 
situation, and it was very niche.  They added a LOT of complexity and 
overall limitations to our network infrastructure that put serious 
question to their overall usefulness and purposefulness.  For instance, 
in normally fully meshed routed environments, their stateful nature 
requires them to see full two-way conversations, which limit your 
network to active/passive paths maintained though IGP costs or some 
such.  If you are running less than a gig of throughput in a simple 
routed environment, you're probably fine to use them to your 
satisfaction, but when facing anything that requires multiple 
port-channeled gige's/10G (don't think TP's can do 10G yet) and 
multipath full-mesh routing is impossible with these beasts in-line.

IMHO, you're better off maintaining a good security posture and patch 
regiment with your hosts that are internet facing and keeping your 
firewalls locked down tightly.  If zero-day windoze attacks hit, you're 
likely to still be screwed before someone updates the IPS, but they 
might save you grief if M$ decides to wait a month to release patches as 
they've been known to do.  More possible protection generally means 
better, but with their network integration complexity and overall 
limiting of network capacity for the IPS throughput, I think the only 
reason they are still in use is the CISO didn't want to admit he wasted 
capex on them...  ;)

-mb


Shaun wrote:
> What brand/model firewall/ids hardware are you guys out there using to block 
> incomming/outgoing attacks, port scans, brute force attempts, etc.
> 


More information about the cisco-nsp mailing list