topic Re: IPS/IDS Effectiveness? in General Topics

IPS/IDS Effectiveness?

networkadmin — Thu, 22 Apr 2010 19:41:41 GMT

I know this is subjective, but does anyone have any knowledge/experience of how effective the Palo Alto IPS/IDS is compared to a more dedicated product?

I'm looking at ways to try and detect/block suspect traffic to our web server and obviously there are lots of IPS/IDS solutions ranging from software to hardware.

Re: IPS/IDS Effectiveness?

nrice — Tue, 27 Apr 2010 22:34:26 GMT

Palo Alto Networks has been very successful replacing standalone IPS/
> IDS systems in some very large organizations for a few key reasons:

> 1) We have very good vulnerability signatures written by a top-
> notch security team. We write all of our own signatures (we don't
> outsource like most IPS companies) and we're part of Microsoft's
> MAPP program (as well as one of the top contributors to Microsoft).
> 2) We not only identify vulnerability exploits, but we can identify
> nearly 1,000 applications. This is critical even in a datacenter
> where we've seen misconfigured applications (HTTP apps running on
> port 443), disallowed applications like RDP running for convenience
> purposes, or SSH relays to tunnel applications in/out of networks
> while bypassing filtering.
> 3) Our systems run at very high speeds - up to 10Gbps FW with 5Gpbs
> threat prevention with very low latency.
> 4) We are unique in the field in that we are able to perform SSL inbound and outbound decryption which can
> which can protect both servers and clients
> 5) The platforms are very well priced in comparison to standalone
> IPS systems.
>
> We have many large enterprise customers who have replaced
> SourceFire, ISS, Juniper, McAfee, TippingPoint and others with us.

Re: IPS/IDS Effectiveness?

Mark-Nakrop — Sat, 02 Oct 2010 01:10:11 GMT

Hi,

Can you share information about latency time and paloalto capable to protect zeroa day attack?

Regards,

nForce

Re: IPS/IDS Effectiveness?

migration — Sat, 02 Oct 2010 08:10:39 GMT

First, I appreciate your asking the question. It'd be normal to expect that standalone products would be better than multi-functional products. In the case of IPS however, reality trumps intuition. NSS, an independent third-party IPS certification organization, did a group test of standalone IPSes last year and the best IPS blocked roughly 89% of the attacks and that too very likely at a lower performance level (versus claimed) refer to http://nsslabs.com/IPS-2009-Q4 The performance graph indicates that IPSes with > 1Gbps threat prevention had their performance reduced by roughly 15-20% while running a tuned configuration (i.e, a configuration with all signatures turned on; typically IPSes quote performance numbers with only certain signatures turned on as the performance usually drops with all signatures turned on). Palo Alto Network's PA-4020 was tested recently by NSS and we blocked 93.4% of attacks at 115% of stated performance while running a tuned configuration.

PA-4020 Best Standalone IPS

i.e., Security Effectiveness 93.4% ~89%

Throughput 115% ~85%

Our high security effectiveness reflects the quality of our IPS signatures and better than stated performance reflects our high-performance architecture.

Let me know if you have any further questions,

Regards,

Sandeep

Re: IPS/IDS Effectiveness?

migration — Sat, 02 Oct 2010 08:11:51 GMT

Yes, we do provide coverage for zero-day attacks (these are the attacks for which vulnerability/exploit is made known to the public without the patch from vendor).

Thanks,
Sandeep

Re: IPS/IDS Effectiveness?

Peter_van_Roode — Fri, 13 Jan 2012 10:22:07 GMT

Question about the Threat Prevention capabilities:

what is the total amount of signature filters at the moment?