Virtual IPS vs. Virtualized IPS

Filed under IBM, IPS, Mcaffe, Sourcefire by on April 27, 2010 at 1:48 pm {no comments}

Virtualization is a top priority for most organizations today. Security of these virtualized environments should also be a top priority and in the Intrusion Prevention market most vendors are developing or have developed virtual or virtualized solutions.

The terms virtual IPS and virtualized IPS have different meanings and I want to take some time to attempt to differentiate these terms. Most vendors have had virtual IPS for many years. Virtual IPS is the ability to apply different polices to certain types of traffic. This could be done using VLAN tags or physical interfaces. IBM does this using the Protection Domains feature which allows a different policy to be deployed to different VLAN’s. Mcafee does this by allowing different policies to be assigned to physical interfaces and can also support policies to be applied based no VLAN tags.

Virtualized IPS is what most of us think of today when we discuss virtualization. Virtualized IPS is an IPS appliance that runs in a virtual environment such as VmWare, Zen or Microsoft’s Hyper-V. The IPS is installed as a virtual server and can be configured so that all server to server traffic inside and outside the virtual environment can be monitored by an IPS.

It is important to be clear on these differences in terminology because not all vendors have virtualized IPS and most sales people will not know enough to properly answer the question, Do you support virtualization? Most will say yes, because they have heard their support teams talk about virtual IPS not virtualized IPS. Virtualized IPS will continue to grow in importance and eventually all the major Intrusion Prevention vendors will have these offerings. Until then do your homework and hold the vendors accountable.

End of an era.

Filed under IBM, IPS by on March 2, 2010 at 12:45 am {no comments}

IBM has announced it is dropping the IBM Intenet Security Systems name and all the security divisions will now be under IBM Security Services (I guess they didn’t want to get rid of the ISS acronym) . X-Force will apparently be moved under IBM research and ISS will be moved under the same group as the Tivioli products. This is the offical end of an era. ISS was one of the first security companies and developed many innovative products and the X-Force was the top research group in the field.

IBM has continued the majority of the product lines and has maintained X-Force but it is not what it once was. This the trend was have seen over the years with the smaller innovative security companies being acquired by the larger players. We saw this with RSA and EMC, IBM and ISS, 3Com and TippingPoint now HP. It seems the only ones not acquired were Symantec and Mcafee who have been the acquirerers.

For IBM this change makes sense and most new it would come. Now all security products and services are now under a single organization. This will allow them th likely reduce cost and better cross sell their products.

Good bye ISS!

Visio Stencils for Mcafee and IBM/ISS IPS devices now available for download.

Filed under IBM, IPS, Mcaffe by on November 20, 2009 at 2:00 am {no comments}

I now have available for download the Mcaffe and IBM/ISS Visio Stencils. You can find them on my download page. I hope to post more over the next few weeks. If you have some please send them to me.

Mcaffe and IBM Comparison

Filed under IBM, IPS, Mcaffe by on October 6, 2009 at 6:07 pm {no comments}
IBM
Device
GX4004
GX5008
GX5108
GX5208 (more…)

Thinking about 10 gig IPS

Filed under IBM, IPS, Mcaffe, Sourcefire by on July 14, 2009 at 12:28 pm {one comment}

I have been looking at 10 gig solutions for IPS and I have to say there is a wide difference in the way the different vendors are doing this.

IBM
Network Security Controller allows for two 10 giga-bit networks to be connected in an active/passive configuration. You would then connect the copper IPS devices to the controller and the controller spreads the load among the connected IPS devices. This would provide IPS with the ability to inspect up to 10 gigabit of traffic assuming the IPS devices connected to it can inspect up to 10 gig. The GX6116 has an inspected throughput of 6 Gbps. IBM has no native 10 giga-bit interfaces on their IPS devices.

Mcafee
Mcafee offers two devices with 10 giga-bit interfaces. The M8000 has 12 10 giga-bit Ethernet ports and a maximum throughput of 10 Gbps, the M6050 has 8 10 giga-bit Ethernet ports with a maximum throughout of 5 Gbps.

Sourcefire
Sourcefire has the 3D9800 with four Fiber 10 Gbps interfaces with up to 10 Gbps line speed and the 3D9900 with 4 10 Gbps SR interfaces. The line speed is up to 10 Gbps.

TippingPoint
The TippingPoint Core Controller has six 10 Gbps Ethernet interfaces(3 segments). This is similar in design to the IBM solution. The controller distributes the load across the connected backend IPS devices. The total inspected bandwidth is dependant on the backend IPS devices.