Firewall Wizards mailing list archives
RE: IDS Flooding: was RE: ??? vs blackice -reply
From: "LaPane, Mike" <MGL () para-protect com>
Date: Wed, 29 Mar 2000 12:30:31 -0500
Agree, on all accounts. Proper location in the network is critical for the implementation. And yes, customizing is an important piece (Perl/Python is your friend :). I just felt that RealSecure didn't offer the level of customization that NFR or Dragon offers. Of course, I'm looking at it from a managed service point of view. Maybe that's causing the skewed assessment. I know that with RS you can dump to a SQL for event correlation off-line, so that's a good thing, but I know the others do that to. As far as consoles go, I think you can realistically throttle that up to about 15 sensors with a healthy console and a decent pipe (if you're doing remote management). Policy configuration is critical at that point so as not to kill your console with superfluous data. Maybe just a lack of info/knowledge on the RS product:) Cheers, -Mike -----Original Message----- From: Mark.Teicher () predictive com [mailto:Mark.Teicher () predictive com] Sent: Wednesday, March 29, 2000 11:54 AM To: LaPane, Mike Cc: CrumrineGL () state gov; firewall-wizards () nfr net; robert_david_graham () yahoo com; Matthew.Brown () predictive com; sdroski () iss net Subject: IDS Flooding: was RE: [fw-wiz] ??? vs blackice -reply All IDS systems are vulnerable to system console flooding. If you run certain kiddie-scripts back to back against certain IDS systems, they will bog or just fail completely. Most of the IDS systems today are not designed for large scale networks with multiple remote locations. When I mean large-scale, I mean organizations with their own Class 'A' or Class 'B' network plus several dozen Class 'C's, NAT IP Masquerading, etc, etc. There are ways to manipulate the current commercially available IDS products to encompass such a large network.. READ, lots of custom scripting, automation, etc to get everything to interoperate within the chosen environment. Each IDS product has its +/-'s, caveats, nuances what ever. It is really comes down to how the network is designed and compare it to what the users are actually doing. Once those two facts are collected, then an assessment/requirements phase should be done to really gauge how an IDS system will help monitor the anomalies that may be happenning inside or outside your particular organization's network. The other factor is how intimate do you want to be with your IDS of choice, the vendor, the reseller, etc?? If you do not want to become that intimate choose an IDS product that does not require you to be able to recite the 9 OSI Layers mantra. Then select one that best fits your organization's technical resources, budget, and fits at least 5 of your stated requirements. You did have a list of requirements that an IDS must have to be purchased for your environment? Oh yeah, back to ISS RealSecure, there are ways to tweak the console piece that one is a master console, and the second console can be View-Only. Depending on the number of detectors deployed. I think the ratio without totally saturating a ISS RealSecure Console is about 5 detectors for every Console. This also changes your ISS license agreement, so plan wisely if you are choosing an ISS solution versus another vendor's solution. /cheers /mht "LaPane, Mike" <MGL () para-protect com> 03/29/00 08:27 AM To: "'Mark.Teicher () predictive com'" <Mark.Teicher () predictive com>, Robert Graham <robert_david_graham () yahoo com> cc: firewall-wizards () nfr net, CrumrineGL () state gov Subject: RE: [fw-wiz] ??? vs blackice -reply I'm not sure how to classify NetSonar as an IDS. It's an assessment tool (same space as S2 or Axent ESM). NetRanger is Cisco's IDS entry. Also, what about DRAGON from NSW? Good product. Agree on the statement that any IDS will give garbage if improperly configured, but I don't care for RealSecure when deployed in large scale. The console quickly becomes inundated. Hard to manage if you have multiple masters (read, impossible), other than read-only access and buffer logging only. My 2 cents -----Original Message----- From: Mark.Teicher () predictive com [mailto:Mark.Teicher () predictive com] Sent: Thursday, March 23, 2000 1:52 PM To: Robert Graham Cc: firewall-wizards () nfr net; CrumrineGL () state gov Subject: Re: [fw-wiz] ??? vs blackice -reply OK. The last time we spoke you were going to have somebody from NetworkICE contact me and send me an eval copy of the NetworkICE Sentry version. NetworkICE Defender is the only version that was available to me at the time of my evaluation.. OK Here is the correct lineup ISS RealSecure NFR IDA NetworkICE Sentry Cisco NetSonar Axent ITA/NetProwler Did I miss anything in the Enterprise IDS space.. If ISS RealSecure is properly configured, it will not drown the user in meaningless alerts, but that requires a skill set above the average monitor monkey. NetworkICE Defender can also give meaningless alerts if not configured properly also. So once again, if an IDS system is not properly configured and tuned on a regular basis, as traffic analyzed over time is deemed normal versus the abnomalies. It is a constant struggle of finding customizing the rule base and/or policies within each of the IDS systems to cater to the particular organization's environment and tracking down the abnomalies. The explanations of each alert can vary from IDS system to IDS system, as each vendor is slowly migrating to the standards of the CVE, this will more or less normalize over the few months, few years depending on how fast each vendor revs their product offerings and releases updates. If you want a vendor neutral review, I suggest contacting a vendor neutral network consulting company for a very thorough product comparison test. (Product Bakeoff) Robert, contact me privately and I can suggest a few network consulting companies that offer these type of services.. :) /mark Robert Graham <robert_david_graham () yahoo com> 03/23/00 10:31 AM To: Mark.Teicher () predictive com cc: firewall-wizards () nfr net, owner-firewall-wizards () lists nfr net, rgrimsha () syr edu Subject: Re: [fw-wiz] ??? vs blackice -reply --- Mark.Teicher () predictive com wrote:
What I meant in the previous message was that NetworkICE cannot be
placed
in the same category as ISS RealSecure or NFR IDA 4.01. These
products
address completely different segments of the IDS product space.
Hhhmm. Apparently you haven't used BlackICE Sentry yet. The Sentry version does the following: * promiscuous packet capture * over 400 signatures * full stateful protocol analysis * centralized mgmt/reporting * etc. In Greg Shiply's review at http://www.nwc.com/1023/1023f19.html, you can see the performance of the network engine when compared with alternatives. Moreover, the "full stateful analysis" means the signatures are much more robust. For example, we have only one signature for a POP3 buffer overflow in the user name field, whereas other products have as many as 20. We have several customers who have thrown out RealSecure and replaced with BlackICE Sentry because: * Sentry handles higher traffic rates * Sentry has extensive anti-evasion capabilities (reassembles packets, handles all whisker evasions, etc.) * Sentry has dramatically fewer false positives (a lot of customers end up paying a lot for RealSecure, then stop using it because they are drowned in meaningless alerts). * Its explanation of alerts is much better than the X Force stuff. What feature is BlackICE Sentry missing such that you don't put it in the same category?
NetworkICE Lockdown 2000 Bonzi Intruder are addressing the personal firewall and personal IDS space while
Uh, no. Lockdown2000 and Bonzi Intruder are neither firewalls or real IDSs. They are port monitors like Nukenabber. They contain zero packet filtering capabilities. In contrast, BlackICE Defender is currently the market leader in personal firewalls. Both Defender and Sentry make use of the same underlying IDS engine, but please don't confuse one for the other. Robert Graham CTO/Network ICE __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- IDS Flooding: was RE: ??? vs blackice -reply Mark . Teicher (Mar 29)
- <Possible follow-ups>
- RE: IDS Flooding: was RE: ??? vs blackice -reply LaPane, Mike (Mar 29)