RE: IDS Flooding: was RE: ??? vs blackice -reply

["LaPane, Mike" <MGL () para-protect com>]

Agree, on all accounts. Proper location in the network is critical for
the implementation. And yes, customizing is an important piece
(Perl/Python is your friend :). I just felt that RealSecure didn't offer
the level of customization that NFR or Dragon offers. Of course, I'm
looking at it from a managed service point of view. Maybe that's causing
the skewed assessment.

I know that with RS you can dump to a SQL for event correlation
off-line, so that's a good thing, but I know the others do that to. As
far as consoles go, I think you can realistically throttle that up to
about 15 sensors with a healthy console and a decent pipe (if you're
doing remote management). Policy configuration is critical at that point
so as not to kill your console with superfluous data.

Maybe just a lack of info/knowledge on the RS product:)

Cheers,

-Mike

-----Original Message-----
From: Mark.Teicher () predictive com [mailto:Mark.Teicher () predictive com]
Sent: Wednesday, March 29, 2000 11:54 AM
To: LaPane, Mike
Cc: CrumrineGL () state gov; firewall-wizards () nfr net;
robert_david_graham () yahoo com; Matthew.Brown () predictive com;
sdroski () iss net
Subject: IDS Flooding: was RE: [fw-wiz] ??? vs blackice -reply


All IDS systems are vulnerable to system console flooding.  If you run 
certain kiddie-scripts back to back against certain IDS systems, they
will 
bog or just fail completely. 

Most of the IDS systems today are not designed for large scale networks 
with multiple remote locations.  When I mean large-scale, I mean 
organizations with their own Class 'A' or Class 'B' network plus several

dozen Class 'C's, NAT IP Masquerading, etc, etc. 

There are ways to manipulate the current commercially available IDS 
products to encompass such a large network.. READ, lots of custom 
scripting, automation, etc to get everything to interoperate within the 
chosen environment. 

Each IDS product has its +/-'s, caveats, nuances what ever.  It is
really 
comes down to how the network is designed and compare it to what the
users 
are actually doing.  Once those two facts are collected, then an 
assessment/requirements phase should be done to really gauge how an IDS 
system will help monitor the anomalies that may be happenning inside or 
outside your particular organization's network. 
 The other factor is how intimate do you want to be with your IDS of 
choice, the vendor, the reseller, etc?? 
 If you do not want to become that intimate choose an IDS product that 
does not require you to be able to recite the 9 OSI Layers mantra. 
Then select one that best fits your organization's technical resources, 
budget, and fits at least 5 of your stated requirements. 
You did have a list of requirements that an IDS must have to be
purchased 
for your environment?

Oh yeah, back to ISS RealSecure, there are ways to tweak the console
piece 
that one is a master console, and the second console can be View-Only. 
Depending on the number of detectors deployed.  I think the ratio
without 
totally saturating a ISS RealSecure Console is about 5 detectors for
every 
Console.
This also changes your ISS license agreement, so plan wisely if you are 
choosing an ISS solution versus another vendor's solution.

/cheers

/mht




"LaPane, Mike" <MGL () para-protect com>
03/29/00 08:27 AM

 
        To:     "'Mark.Teicher () predictive com'"
<Mark.Teicher () predictive com>, Robert 
Graham <robert_david_graham () yahoo com>
        cc:     firewall-wizards () nfr net, CrumrineGL () state gov
        Subject:        RE: [fw-wiz] ??? vs blackice -reply


I'm not sure how to classify NetSonar as an IDS. It's an assessment tool
(same space as S2 or Axent ESM). NetRanger is Cisco's IDS entry. Also,
what about DRAGON from NSW? Good product.

Agree on the statement that any IDS will give garbage if improperly
configured, but I don't care for RealSecure when deployed in large
scale. The console quickly becomes inundated. Hard to manage if you have
multiple masters (read, impossible), other than read-only access and
buffer logging only.

My 2 cents
-----Original Message-----
From: Mark.Teicher () predictive com [mailto:Mark.Teicher () predictive com]
Sent: Thursday, March 23, 2000 1:52 PM
To: Robert Graham
Cc: firewall-wizards () nfr net; CrumrineGL () state gov
Subject: Re: [fw-wiz] ??? vs blackice -reply


OK.

The last time we spoke you were going to have somebody from NetworkICE
contact me and send me an eval copy of the NetworkICE Sentry version.
NetworkICE Defender is the only version that was available to me at the
time of my evaluation..

OK

Here is the correct  lineup

ISS RealSecure
NFR IDA
NetworkICE Sentry
Cisco NetSonar
Axent ITA/NetProwler


Did I miss anything in the Enterprise IDS space..


If ISS RealSecure is properly configured, it will not drown the user in
meaningless alerts, but that requires a skill set above the average
monitor monkey.  NetworkICE Defender can also give meaningless alerts if

not configured properly also.

So once again, if an IDS system is not properly configured and tuned on
a
regular basis, as traffic analyzed over time is deemed normal versus the

abnomalies. It is a constant struggle of finding customizing the rule
base
and/or policies within each of the IDS systems to cater to the
particular
organization's environment and tracking down the abnomalies.

The explanations of each alert can vary from IDS system to IDS system,
as
each vendor is slowly migrating to the standards of the CVE, this will
more or less normalize over the few months, few years depending on how
fast each vendor revs their product offerings and releases updates.

If you want a vendor neutral review, I suggest contacting a vendor
neutral
network consulting company for a very thorough product comparison test.
(Product Bakeoff)

Robert, contact me privately and I can suggest a few network consulting
companies that offer these type of services.. :)

/mark





Robert Graham <robert_david_graham () yahoo com>
03/23/00 10:31 AM


        To:     Mark.Teicher () predictive com
        cc:     firewall-wizards () nfr net,
owner-firewall-wizards () lists nfr net,
rgrimsha () syr edu
        Subject:        Re: [fw-wiz] ??? vs blackice -reply


--- Mark.Teicher () predictive com wrote:
> What I meant in the previous message was that NetworkICE cannot be
placed
> in the same category as ISS RealSecure or NFR IDA 4.01.  These
products
> address completely different segments of the IDS product space.

Hhhmm. Apparently you haven't used BlackICE Sentry yet. The Sentry
version
does
the following:
* promiscuous packet capture
* over 400 signatures
* full stateful protocol analysis
* centralized mgmt/reporting
* etc.

In Greg Shiply's review at http://www.nwc.com/1023/1023f19.html, you can
see
the performance of the network engine when compared with alternatives.

Moreover, the "full stateful analysis" means the signatures are much
more
robust. For example, we have only one signature for a POP3 buffer
overflow
in
the user name field, whereas other products have as many as 20.

We have several customers who have thrown out RealSecure and replaced
with
BlackICE Sentry because:
* Sentry handles higher traffic rates
* Sentry has extensive anti-evasion capabilities (reassembles packets,
handles
all whisker evasions, etc.)
* Sentry has dramatically fewer false positives (a lot of customers end
up
paying a lot for RealSecure, then stop using it because they are drowned

in
meaningless alerts).
* Its explanation of alerts is much better than the X Force stuff.

What feature is BlackICE Sentry missing such that you don't put it in
the
same
category?

> NetworkICE
> Lockdown 2000
> Bonzi Intruder
> are addressing the personal firewall and personal IDS space while

Uh, no. Lockdown2000 and Bonzi Intruder are neither firewalls or real
IDSs.
They are port monitors like Nukenabber. They contain zero packet
filtering
capabilities.

In contrast, BlackICE Defender is currently the market leader in
personal
firewalls. Both Defender and Sentry make use of the same underlying IDS
engine,
but please don't confuse one for the other.

Robert Graham
CTO/Network ICE



__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com