frontline

Probably a long shot but ... I'm looking for any tips anyone may have for a 1 u 2-4 port load balancer.
Also, a low cost IDS(No SNORT.) I have been playing with a Tipping Point but it is just to expensive evidently. Probably need something between 5 and 10 grand with 100Mbps per segment and the ability to pull SNMP and maybe even a nice reporting tool.

I have been looking around the web and have found quite a few things but any real world experience would be nice.

hotshot

The cisco css 11501 (8 port) is a nice load balancer, can do vrrp hardware failover and even does SSL session failover if you get the ssl version (if you have a online store this is a must have.) 8000.00 for non-ssl and 14000.00 w/ssl.

What are you looking for in IDS? most cisco firewall devices (PIX does 52 signatures for example) have IDS built in and you can enable and dissable different signatures and send to syslog. or can get fancy and run cisco IPS 4200 with RSPAN and sensor in your switches. also look at cisco security agent for servers and desktops.

frontline

Almost forgot. If you are looking for just load balancing web servers http and https (or citrix nfuse cluster or something) Squid is free and installs in linux it can be setup as a "reverse proxy" which is the same thing as a load balancer it can do host header redirection and balance the load on a per user basis to backend (NATd) boxes. It is actualy becoming very popular for hosting companies.

Novell bordermanager does this also but cost money

hotshot

Thought I would be nice and look up a full bundle for ya cost averages 6500.00 US so in your budget..

The IDS4215-CSA-BUN-K9 Cisco Threat Defense IDS 4215/Cisco Security Agent Bundle includes: one Cisco IDS 4215 appliance sensor, one Cisco Security Agent server, 10 Cisco Security Agent desktop agents, Cisco Threat Response software, and Cisco VMS-Basic.

just google price on IDS4215-CSA-BUN-K9 (has 5 ports on it and connects to trend-micro for fast response with the security agent server)

frontline

I decided to read your posts since you were the only one who responded and did so in a open way.

For the IDS/IPS I have looked all around and for what is needed I am leaning towards Zyxel The device itself does many things we don't need and the nice thing is these can all be shut down for a performace boost and added later if needed. The price is drastically below anything I have looked at. This is because of throughput. Using IDS and the firewall we can expect 18Mbps of throughput. Even at peak times the servers are not pushing 10 out, so my initial concern over the throughput turns out to be unfounded. It's a all in one device like the more expensive models it is just meant for small to midsize businesses. Thing is, they are so cheap you could have one device per vlan.

Look at what is needed for a cisco implementation for IDS/IPS.... This device (MAY) do it everything the others will for a fraction of the price. Tipping Points are 38 grand each. Have to wait for the evaluation machines to arrive and test them. I'm keeping options open. Let's face it, a properly configured firewall stops most of this stuff anyway. IDS/IPS are just another device but works on layers 2-7.

Still looking at the load balancers.

hotshot

Thats cool I personaly wouldnt trust it, (this is seriously just my opinion not a flame) I shy away from manufacturers I have never heard of I like cisco and juniper networks (M series routers are the shiznitz). I have just been to to many client sites that had appliances that had bells and whistles out the wazoo and just crashed constantly and other issues and I would replace with cisco equipment to stabalize their environment. I like that the 4200 can tie into other cisco equipment from a full mitigation standpoint and central control and monitoring of switches and routers and the use of dynamic ACLs and Dynamic security like "dynamic port security". the 4200 has 5 ports so can do 5 vlans inline at 80Mbps so can handle internal bursts. also the use of RSPAN allows you to SPAN (port monitor) from one switch port, multiple switches and trunking of VLANs on the RSPAN uplink port. (need cisco switches for this), so basicly one port on one switch can monitor multiple switches and VLAN's. Not trying to push it on ya I personaly just like these.

The CSS devices are very nice and have used them at a medium e-commerce site the 11501 is the small CSS I recommend going to cisco's site under content switching and they have a full design where the firewalls are load balanced with the CSS's and inline IPS system very cool how it all works together. I can't say company names but can tell you, you would be suprised at who uses the bordermanager and linux based reverse proxies. (netcraft.com sometimes lists them)

frontline

I don't shy away from new equipment. I have seen lots of devices come out that take what Cisco charged a ton of money for and do more for less while not showing a hiccup. We have a lot of Foundry equipment that does switching and routing in one unit with multiple redundant PSU's that can pop in and out, as well as, being easily scalable to fit growing networks, just pop in a card and configure it.

We have clients that require a device to do Intrusion Prevention. Even though Tiger team testing won't show much because a properly configured ACL stops almost everything. The biggest problem is with a new Windows vulnerability that may effect a open port - like 80. If an attack comes along that exploits a flaw and the port is open then you could have issues if the machines arn't patched. A device that sits behind an ACL that has regularly updated threat engines can keep an eye on normal traffic and look for problems. I was talking to a sales rep about how some places actually drop their FW rules and let the attacking team in to see what is behind the scene. To me, this is stupid. What does that prove?

If this device can't handle the traffic it will show in the 3 to 4 week test it will get. Failures are a deal breaker, no room for junk in a production enviroment. So far I have heard no bad things about them and they are not new startup company.

I also think Cisco is in trouble because they charge too much for devices that really are not that complicated any more (although they make their device configuration as obtuse as possible). Ten years ago they could get away with it because they were the only game in town and big corporations would spend the cash. Times have changed, as you can tell by Cisco stock prices. Competition is good for consumers. Someone who can come along and build a better mouse trap will get business in today's enviroment. Most companies are in a constant upgrade cycle from top to bottom. IT professionals need to keep their eyes open and learn new skills and be open to change or they will get obsoleted like the IBM and UNIX guys I see coming in to work on enormous tape drive librarie machines. I saw 8 of them hunkered over a UNIX server trying to figure out how to make it work. One guy typing and 7 others looking over his shoulder. Reminded me of a state road crew on the side of the road. One guy digging a hole and 7 guys pointing and talking. Many companies can't afford that anymore. Maybe we will get back to it in another 5 years or so. But many companies are cutting costs.

Proof is in the pudding though, if the device fails it won't get a second chance. But I am willing to give them a first chance.

hotshot

This is done to test the servers vulnerabilities if the firewall becomes compromised. Basicly when setting up a network you want the protection to be teired so that one point of failure does not compromise the entire network. Otherwise you have all your eggs sitting in the firewall basket hehe. Basicly when Im called out for a security assesment I run against the firewall first (ingress filtering) but then go inside the network (past the firewall) and assess the vulnerabilities internal as well as the ability of internal machines to get out and attack other networks (egress filters). Most attacks in corporate networks (80% I believe) come from internal users. I also get a copy of the router and switch configs to assess them also as I dont fully rely on just my tools to tell me how secure a network is. If you look no one will guarantee 100% secure since that is impossible.

frontline

almost forgot If you have a cisco head end router the 12.3T IOS has these IPS features added..

2.1.7) Intrusion Prevention Systems Signature Enhancements
This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:

String TCP Worm and Virus Support
Agobot
ANTS
Apache/mod_ssl Worm
Bagle
Blaster

GaoBot
Klez
Minmai
MyDoom
Netsky

Norvag
Phatbot
Sober
Worm Slapper (Buffer Overflow)
ZAFI.D

String UDP Worm and Virus Support
Agobot
Blaster
GaoBot
Phatbot
Slammer

String ICMP Worm and Virus Support
Nachi

Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.

Benefits

•Support for more than 400 more signatures for a total of more than 1275 from which to choose.

•Increased efficiency for traffic blocking with shun action.

Hardware

Routers •Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

hotshot

hmm, we use 7200's and Sonic Foundry for fiber and copper. Without looking around I wonder if the 12.3 IOS has any downside with IPS turned on. For instance, overhead on the CPU and memory. Is 12.3 free?
I believe the 800's are sub-par compared to what's out today. They seem to have a shelf life of about 3-4 years. I have seen more of these die then any other small router. For DSL customers we use a little Netopia and it does yeoman’s work with a tiny footprint.

Cisco is the MS of network equipment with fewer bugs. The 4000lb gorilla. Stock prices under 20 bucks, speaks volumes though. A lot of equipment can do the work for less money. I disagree that their equipment was intended for enterprise customers. EVERYONE has/had Cisco switches and routers, companies small or large, they were purchased. I doubt Cisco ever claimed they were aiming for Enterprise's, they would sell them to everyone.
I don't disagree they are good at what they do by any means. I just think they are too expensive, IOS is overly complicated and features are limited. They are moving into newer markets in attempt to survive. If they throw out cheaper products with a tiered capability structure that is to restrictive they will fail. I have only worked in the IT arena full time for a little over a year and a half. In that time, I have gone from thinking Cisco was simply the only business solution for networks, to seeing them as simply one of many good solutions for any given problem. Maybe time will prove my original assumption right but, I have seen to many other American companies get beat down by competition for not being able to change fast enough to new paradigms. IBM, GM and US steel come to mind.