Anyone running ISS on a Nokia IP330
30 April 2002, 05:18 PM
#1
Scooby Regular
Thread Starter
Join Date: May 2001
Location: Scotland
Posts: 4,580
Likes: 0
Received 0 Likes
on
0 Posts
What throughput can they handle without creaking at the seams or dropping packets?
Interested to hear from anyone thats running these on a 100mbps lan
Cheers!
Interested to hear from anyone thats running these on a 100mbps lan
Cheers!
03 May 2002, 08:03 PM
#6
Scooby Regular
I've already replied to John via E-Mail as I was out of the office today....
The Nokia solution is expensive (IP330 5K, IP530 13K gulp) and while I recomend and sell Nokia for Checkpoint I'm not convinced its necessary for Realsecure except where remote management is an issue (co-locate or remote site).
Because of the way Realsecure works (untrusted interface is in promiscuous mode with no IP Stack loaded) there is no real security advantaged to be gained by using a pre-hardened device like a Nokia. The product works equally well on Sun or (whisper) NT/2000 and the hardware is significantly cheaper. If your looking to monitor a 100Mb link (or higher) you are into TopCall switchs and gigabit taps with clustered Network Sensors...at which point you can kiss your budget goodbye. Also if you have a Network Sensor outside your Firewall you really need a Network Sensor inside as well to ensure that nothing has actually got in and you will need System Sensors/OS Sensors on all of your public servers to ensure that they are secure as well.
Of course all of this is pointless unless you have a structure and staff within your organisation which monitors the IDS (and Firewall logs) and has policies and proceedures that allow them to react to an intrusion attempt.
There are some new products coming on to the market now which have been called 'Distributed Firewalls' for want of a better term and this allows you to enforce a policy on all your hosts as well as monitor, audit, network management & IDS regardless of whether the device is a Remote Laptop, Server, Wireless device. The best one so far is Active Net Steward by Security Designers and I believe that products of this type are the way forward.
God, don't I go on.....
Jeff
The Nokia solution is expensive (IP330 5K, IP530 13K gulp) and while I recomend and sell Nokia for Checkpoint I'm not convinced its necessary for Realsecure except where remote management is an issue (co-locate or remote site).
Because of the way Realsecure works (untrusted interface is in promiscuous mode with no IP Stack loaded) there is no real security advantaged to be gained by using a pre-hardened device like a Nokia. The product works equally well on Sun or (whisper) NT/2000 and the hardware is significantly cheaper. If your looking to monitor a 100Mb link (or higher) you are into TopCall switchs and gigabit taps with clustered Network Sensors...at which point you can kiss your budget goodbye. Also if you have a Network Sensor outside your Firewall you really need a Network Sensor inside as well to ensure that nothing has actually got in and you will need System Sensors/OS Sensors on all of your public servers to ensure that they are secure as well.
Of course all of this is pointless unless you have a structure and staff within your organisation which monitors the IDS (and Firewall logs) and has policies and proceedures that allow them to react to an intrusion attempt.
There are some new products coming on to the market now which have been called 'Distributed Firewalls' for want of a better term and this allows you to enforce a policy on all your hosts as well as monitor, audit, network management & IDS regardless of whether the device is a Remote Laptop, Server, Wireless device. The best one so far is Active Net Steward by Security Designers and I believe that products of this type are the way forward.
God, don't I go on.....
Jeff
Trending Topics
03 May 2002, 10:01 PM
#8
Scooby Regular
John
If you want to e-mail me some more details we'll continue the conversation off-line...Don't want to tell the world how your IDS might be set up, do we
I'm not sure I answered your question with the reply above....too many late nights fixing badly configured Nokia boxes !
Jeff
If you want to e-mail me some more details we'll continue the conversation off-line...Don't want to tell the world how your IDS might be set up, do we
I'm not sure I answered your question with the reply above....too many late nights fixing badly configured Nokia boxes !
Jeff
05 May 2002, 06:36 AM
#15
Scooby Regular
These are the types of things that Active Net Steward has picked up when installed....
Software Applications Over Delivering
A bug found in a version of the popular Norton Ghost application used by many IT support and development houses was found to be making an outbound connection to a specific IP address once every minute. The organisation concerned used over 30 of these systems resulting in large volumes of unnecessary traffic and bandwidth consumption.
A very popular internet download acceleration package, once downloaded and installed, makes its own outbound connection back to the manufacturer and can identify who you are, where you’ve been on the net, and what files you’ve downloaded in the last week.
Hopefully the John Ainsley bill going through the US senate should stop this.
Network Health
ANS detects network health and so will show up network errors. Examples found include packet retransmit and DNS errors.
We commonly see network problems that directly impair the performance of systems. These can range from the physical such as packet-transmits from poor infrastructure such as cabling, NIC adapters etc through to items such as poor DNS performance. In one instance we recorded some 8000 DNS failures over a period of weeks, emanating from one machine. The problem was a simple mis-configuration of the communications bindings, but the user had been complaining about poor performance for some time. Until the evidence was available, there was nothing to indicate where the problem lay.
Out of bounds
Someone using a personal POP3 email account in addition to their corporate email server and importing a virus into the organisation. It was Sircam. The firewall had only been configured to police inbound traffic on the basis of ‘we trust our own employees’ and don’t worry about outbound connections – a very common mis-configuration of perimeter firewall systems.
We have in the past identified the presence of someone who had left an Ethernet analyser on the network. This was letting whoever ‘owned the device’ to see all the traffic on the LAN, devices, packets, passwords and all. The IT team were unaware of its existence.
Port scanners seem to be all the rage these days. We have identified these being run in numerous organisations and usually by casual users. These tools are commonly available over the net and are usually used as a prelude to a hack attempt. (Apart that is, from their use as a valid diagnostic and testing tool by the IT department).
Trojans.
We commonly find trojans, Beijing seems to be popular, but when you find BackOrifice installed on all the NT servers in an organisation left by a previous employee you begin to really appreciate being able to see what is going on.
Human Resources
Contractors claiming they had worked overtime at the weekend when in fact, they had arrived late, watched the football and left early. – Knowing when systems are being used by whom can seriously reduce your bills!
Sick web surfing – hey I’m broad minded but there are limits. At least we know who was doing it on which machine at what address and when. The employer had the documentary evidence and we’d best draw a tasteful veil over things from there on in.
Worms
We were able to identify and track the network behaviour of worms such as Nimda, code red and Sircam and set up the necessary blocks to prevent network based transmission and mitigate the effects of their payloads.
Software Applications Over Delivering
A bug found in a version of the popular Norton Ghost application used by many IT support and development houses was found to be making an outbound connection to a specific IP address once every minute. The organisation concerned used over 30 of these systems resulting in large volumes of unnecessary traffic and bandwidth consumption.
A very popular internet download acceleration package, once downloaded and installed, makes its own outbound connection back to the manufacturer and can identify who you are, where you’ve been on the net, and what files you’ve downloaded in the last week.
Hopefully the John Ainsley bill going through the US senate should stop this.
Network Health
ANS detects network health and so will show up network errors. Examples found include packet retransmit and DNS errors.
We commonly see network problems that directly impair the performance of systems. These can range from the physical such as packet-transmits from poor infrastructure such as cabling, NIC adapters etc through to items such as poor DNS performance. In one instance we recorded some 8000 DNS failures over a period of weeks, emanating from one machine. The problem was a simple mis-configuration of the communications bindings, but the user had been complaining about poor performance for some time. Until the evidence was available, there was nothing to indicate where the problem lay.
Out of bounds
Someone using a personal POP3 email account in addition to their corporate email server and importing a virus into the organisation. It was Sircam. The firewall had only been configured to police inbound traffic on the basis of ‘we trust our own employees’ and don’t worry about outbound connections – a very common mis-configuration of perimeter firewall systems.
We have in the past identified the presence of someone who had left an Ethernet analyser on the network. This was letting whoever ‘owned the device’ to see all the traffic on the LAN, devices, packets, passwords and all. The IT team were unaware of its existence.
Port scanners seem to be all the rage these days. We have identified these being run in numerous organisations and usually by casual users. These tools are commonly available over the net and are usually used as a prelude to a hack attempt. (Apart that is, from their use as a valid diagnostic and testing tool by the IT department).
Trojans.
We commonly find trojans, Beijing seems to be popular, but when you find BackOrifice installed on all the NT servers in an organisation left by a previous employee you begin to really appreciate being able to see what is going on.
Human Resources
Contractors claiming they had worked overtime at the weekend when in fact, they had arrived late, watched the football and left early. – Knowing when systems are being used by whom can seriously reduce your bills!
Sick web surfing – hey I’m broad minded but there are limits. At least we know who was doing it on which machine at what address and when. The employer had the documentary evidence and we’d best draw a tasteful veil over things from there on in.
Worms
We were able to identify and track the network behaviour of worms such as Nimda, code red and Sircam and set up the necessary blocks to prevent network based transmission and mitigate the effects of their payloads.
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM