Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Network Security Perimeter: How to choose the correct firewall and IPS for your environment? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Network Security Perimeter: How to choose the correct firewall and IPS for your environment?

Last week my company decided to upgrade our data network bandwidth of 1 GB to 10 GB. The last time we update the design, we found that the bandwidth of the 45 vlan more secure servers, taking into account that each uplink has the 1 GB limit, we gave as 2.8 Gbps total consumption, so we chose a FWSM blade inside a Catalyst 6513. Please look the following diagram:

 Core collapsed network security perimeter design

Now with our network with expanded bandwidth to 10 GB, forced us to change the proposed design to implement security features through a service switch that is connected to the users and the server farm. Please look the following diagram:

Distributed Network Security Perimeter Design

 My big problem is I can not find a Cisco device (Firewall and IPS) capable of handling a traffic level large enough. If I would choose Cisco, I would need to place multiple firewalls and IPS, which is not acceptable to me because of the administration overload. This led me to think again about the factors that would fulfill the perimeter security devices to protect the information assets of my company. The factors are:

  • Sufficient traffic throughput: If the bandwidth supported by firewalls and IPS are exceeded, they can become the bottleneck of the network, causing trauma to the its services and availability. Remember that one of the key criteria for network design is the scalability and any security services in place need to preserve it.
  • Supported protocols: TCP and UDP are not the only protocols that are supported on IP [1]. The firewall and IPS you choose must support the protocols that travel over your network and be able to make decisions about them and not limited only to forward the packets. What would happen if you need a specific type of multicast for your brand new conference system that your firewall and IPS are not capable to support?
  • IDS/IPS evation: Is the IPS you are looking for capable of control the most common techniques for IPS/IDS evation? A simple google search can give you a decent list to work with.
  • Management platform: If we have a perimeter security plan for a large company, you need a management solution that enables the following features: security event management, dynamic network protection and real-time visualization of attacks attempts and successful attacks. Here we must involve an event correlation system that can interact with devices from the network security perimeter that consolidates the information and make reports to enable trends. These trends will allow to implement controls effectively to reduce identified risks.
  • ARP attacks: Is your firewall/IPS able to notice and block fast ARP changes commonly used for man in the middle attacks?

 Do you have any other criteria you want to share with us? Use the comment page or our contact form.

[1] See

-- Manuel Humberto Santander Peláez | | | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

193 Posts
ISC Handler
Nov 9th 2010
Hello, (and sorry for the long comments)

I'm a bit disappointed by the global, rather open, remarks in this contribution. Eg :
? and where can users/decision makers find (realistic) info about performance ?
? with the vendor - himself ?
? from the integrator ?
(sometimes : I used to work for an integrator, and tried to advice my customers to the best of my experience, however ...
1) some, not too technical, prospects still saw my explanation as a trick to sell bigger models
2) if competition claims a smaller model is enough, based on their "experience", the more expensive offering (with the correct model) loses
3) if vendors make (too optimistic) performance numbers publicly available, one has little to contribute, as integrator. You cannot attack the vendor you are proposing, can you ?

? and how do you define "event correlation", to give another vague statement ? Is it :
1) the capability of assembling data from several sources and simply "presenting" it in one screen ? (at least one vendor gave me this clarification for "correlation")
2) establishing a list of assets (hardware/software versions - know about their vulnerabilities), detect attacks and match them to the known vulnerabilities of the assets ?
(like a *X attack against a MS device ...)
3) combining a "scan" for a certain service, detected/ reported by firewall, to the logs of that service.
Because it might be interesting to know what an proven scanner actually tried to do against the service.

Furthermore, I don't see in the listed factors the contribution that switches can make, to the security (DHCP snooping in user environments, limit mac-addresses in server environments).

And finally, how are you preventing information leakage via DNS ?
"nslookup your.secret.competitor.tld."
--> "security by design" would be the answer.

Kind regards,

there are more vendors than cisco out there. have a look at juniper and palo alto networks. junipers SRX devices offer huge performance at low price while palo alto offers a big feature list at a higher price..
That is precisely what I mean :
where do you get the performance/pricing information ? From the vendor ... ? And do you believe their performance numbers ?

I find it amazing how many people think everything that has the label "firewall" on it is identical, so only performance numbers/interfaces and prices should be compared.

But technical evaluation ? Who cares about violations against the TCP protocol ? (which firewall detects errors/attacks against TCP window sizing ? Who cares if the firewall protects the servers against "sockstress" ?)

And since we are operating a top-level-domain, I always ask about support for IPv6 ! (and guess how weak support is for that)

Kind regards,

It seems to me the whole design is based on virtual network. If so, what's the potential of the risk of unexpectedly allowing unauthorized external users access to your internal/dmz networks due to system miss-configuration, product problem and etc... Personally, I would like to use more "physical" separation to handle the just-in-case. The impact is significant when the breach happens,just a matter of time.


For IPS technology product reviews look at the NSS group. They provide independent reviews of the top vendors. McAfee's IPS is the only vendor certified for 10gig throughput. With regards to Juniper's SRX device you need to read the fine print about their performance when you enable the IPS feature. The performance drops by more than 50% and the detection rate is horrible. Look for the document "PERFORMANCE VALIDATION OF JUNIPER
NETWORKS SRX5800 SERVICES GATEWAY" on their website. It's nice the vendor is straightforward with their performance numbers. I wish other vendors were too.

The top firewall vendors are Cisco, Juniper, Checkpoint, McAfee and Palo Alto. I would stay away from Checkpoint, horrible support, and Palo Alto is a very small company that will either be bought by another company, HP?, or go out of business.

As far as pricing goes you need to reach out to the vendor directly and it doesn't hurt to tell them what you are trying to accomplish. They will provide a lot of insight into their products that you were probably not even aware of.
It sounds like you are relying on the Firewall/IPS to be your primary defense mechanism. Before you go out and spend multiple $100K’s on a 10GB firewall/IPS (Cisco has one too, the ASA 5585), there are many other things you can do to harden the network. Most of them cost nothing, and it’s a more efficient use of your time and money.
First, make sure you understand what risks you are protecting against. Denial of Service? Theft of data? Bots/Malware? Theft of assets? Put your money where it matters most. Here are just a few ideas:
1. Which servers have critical data? Perhaps you can move them to another VLAN so that the IPS traffic rates are lower, especially the non-TCP/UDP servers.
2. Block unnecessary protocols. If your users don’t RDP to servers, block it (and log).
3. Only your nameservers should be talking DNS. Block it from other servers.
4. Do your servers initiate connections to users or the Internet? If not, block attempts (apply ACLs with ‘established’ keywords).
5. Block unnecessary inter-server traffic. For example, your file server should not start communicating with the mail server.
6. By all means, apply layer 2 controls such as ARP inspection, port security, RPF checks, etc.
7. Set your Windows workstations to not cache credentials.
8. Limit user privileges, and limit execution to the Program Files directory. If they must have localadmin privileges, give them a separate account for that.
9. Set your host firewalls to block incoming connections from other workstations.
10. Consider using reputation-based filtering on the Internet edge.
If you do all these things first, you may find you don't need a 10GB+ IPS as much.

Sign Up for Free or Log In to start participating in the conversation!