Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

IPS/IDS Effectiveness?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPS/IDS Effectiveness?

L4 Transporter

I know this is subjective, but does anyone have any knowledge/experience of how effective the Palo Alto IPS/IDS is compared to a more dedicated product?

I'm looking at ways to try and detect/block suspect traffic to our web server and obviously there are lots of IPS/IDS solutions ranging from software to hardware.

5 REPLIES 5

L5 Sessionator

Palo Alto Networks has been very successful replacing standalone IPS/
> IDS systems in some very large organizations for a few key reasons:

> 1)  We have very good vulnerability signatures written by a top-
> notch security team.  We write all of our own signatures (we don't 
> outsource like most IPS companies) and we're part of Microsoft's 
> MAPP program (as well as one of the top contributors to Microsoft).
> 2)  We not only identify vulnerability exploits, but we can identify 
> nearly 1,000 applications.  This is critical even in a datacenter 
> where we've seen misconfigured applications (HTTP apps running on 
> port 443), disallowed applications like RDP running for convenience 
> purposes, or SSH relays to tunnel applications in/out of networks 
> while bypassing filtering.
> 3)  Our systems run at very high speeds - up to 10Gbps FW with 5Gpbs 
> threat prevention with very low latency.
> 4)  We are unique in the field in that we are able to perform SSL inbound and outbound decryption which can
> which can protect both servers and clients
> 5)  The platforms are very well priced in comparison to standalone 
> IPS systems.
>
> We have many large enterprise customers who have replaced 
> SourceFire, ISS, Juniper, McAfee, TippingPoint and others with us.

Hi,

Can you share information about latency time and paloalto capable to protect zeroa day attack?

Regards,

nForce

L0 Member

First, I appreciate your asking the question. It'd be normal to expect that standalone products would be better than multi-functional products. In the case of IPS however, reality trumps intuition. NSS, an independent third-party IPS certification organization, did a group test of standalone IPSes last year and the best IPS blocked roughly 89% of the attacks and that too very likely at a lower performance level (versus claimed) refer to http://nsslabs.com/IPS-2009-Q4  The performance graph indicates that IPSes with > 1Gbps threat prevention had their performance reduced by roughly 15-20% while running a tuned configuration (i.e, a configuration with all signatures turned on; typically IPSes quote performance numbers with only certain signatures turned on as the performance usually drops with all signatures turned on). Palo Alto Network's PA-4020 was tested recently by NSS and we blocked 93.4% of attacks at 115% of stated performance while running a tuned configuration.

                                                              PA-4020                 Best Standalone IPS

i.e.,      Security Effectiveness               93.4%                             ~89%             

            Throughput                                  115%                              ~85%         

Our high security effectiveness reflects the quality of our IPS signatures and better than stated performance reflects our high-performance architecture.

Let me know if you have any further questions,

Regards,

Sandeep

Yes, we do provide coverage for zero-day attacks (these are the attacks for which vulnerability/exploit is made known to the public without the patch from vendor).

Thanks,
Sandeep

Not applicable

Question about the Threat Prevention capabilities:

what is the total amount of signature filters at the moment?

  • 3405 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!