IDS mailing list archives
RE: RE: Juniper and ISS Protocol Anomaly Detection Evaluation
From: "Security Focus" <Security.Focus () comcast net>
Date: Thu, 18 May 2006 08:17:40 -0500
Juniper also recently completed Common Criteria Certification. http://niap.nist.gov/cc-scheme/st/ST_VID10058.html Regards, Matt Gair Security Services Engagement Manager En Pointe Technologies +1 817-230-4881 mgair () enpointe com www.enpointe.com/security -----Original Message----- From: Dmitry V Ushakov [mailto:ushakov () technoserv ru] Sent: Wednesday, May 17, 2006 5:26 AM To: Chris Hummel Cc: focus-ids () lists securityfocus com; myoungs () glenergy com Subject: Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation I would also mention the Tolly Group as an organization which performs "indpendent" analysis of IT products in general and ID(P)S products in particular. But I would not fully rely on their results as though all of them state that their results are not influenced by the sponsor founding their tests still they sometimes get quite diverse results. The best solution would be of course to make a pilot and test the products having them at full control. The aforementioned organizations have their test scenarios described but you can figure out your own tests to make sure the features you require from the product are actually present in the ID(P)S and not in the marketing brochure. Best regards, Dmitriy Ushakov. Technical expert Information Security Department "TechnoServ A/S" Company "Chris Hummel" <chris_hummel () hotmail com> написано 16.05.2006 04:50:14:
Mike, In this day in age, it has become increasingly difficult to wade through
the
vendor bs in an attempt to get an apples to apples comparision of the technology that drives the products. Fortunately, there are other
groups in
this world who feel the same way and have taken matters into their own hands. One of the best independent test and evaluation bodies for
various
security products is The NSS Group, based out of southern France (I believe). After you locate their web site, find the latest online
report
for NIPS and see for yourself the amount of work that is put into their evaluations. Some of the reports (online html version only) are free,
but
the vast majority are $100, which isn't that bad when you consider the
total
investment that your company is about to make. Of course, if you prefer to do the testing yourself and also have a
decent
lab setup, locate the ISIC (IP Stack Integrity Checker) test tool and
have
some fun. The NSS reports actually delves into the details of their
testing
methodology, so one could re-create that portion of the test. Your last statement hints at signature detection in the attack packet
versus
it being spread out over the course of multiple packets (a TCP stream or
IP
fragments). Once again, the NSS report dedicates an entire section to
this
type of activity. Good luck, -Chris --------------------------------------------------------------------- From: "Mike Youngs" <myoungs () glenergy com> To: <focus-ids () lists securityfocus com> Subject: Juniper and ISS Protocol Anomaly Detection Evaluation Date: Fri, 12 May 2006 11:05:47 -0400 Hello Everyone, I am doing a network based intrusion detection and prevention system evaluation, and have come across something I would like this groups collective experience to give an opinion on. For various reasons, we have settled on making a selection between the Juniper IDP 600C and the ISS Proventia GX5008. During our evaluation,
we
have found that Juniper and ISS offer their protocol anomaly detection
means
in much different ways. What I would like to hear from this group is
your
experience and insight with either product's protocol anomaly detection.
If
someone has insight and/or experience with both products, that will be
that
much better. I hope to find out if each vendor's protocol anomaly
detection
features are essentially the same thing, or if one is superior over the other and why, so I can make a more informed decision on this feature. Another way to say it is, does "protocol anomaly detection" mean the
same
thing to both vendors? It appears that "attack pattern" means something different to each vendor. One considers in the actual string or pattern
to
look for in a packet, and the other considers is it multiple events when viewed as a whole could mean an attack on a system. Any insight would be appreciated! Thanks in advance, Mike Youngs Network Manager Great Lakes Energy ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Juniper and ISS Protocol Anomaly Detection Evaluation Mike Youngs (May 15)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Chris Hummel (May 16)
- Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Dmitry V Ushakov (May 17)
- RE: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Security Focus (May 18)
- Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Dmitry V Ushakov (May 17)
- <Possible follow-ups>
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Reynolds, Wayne (May 15)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Compton, Rich (May 16)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Steven Williams (May 16)
- Re: Juniper and ISS Protocol Anomaly Detection Evaluation Stefano Zanero (May 18)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Biswas, Proneet (May 19)
- Re: Juniper and ISS Protocol Anomaly Detection Evaluation Eric Hanselman (May 18)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Biswas, Proneet (May 19)
- Re: Juniper and ISS Protocol Anomaly Detection Evaluation Stefano Zanero (May 18)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Chris Hummel (May 16)