RE: Juniper and ISS Protocol Anomaly Detection Evaluation

["Chris Hummel" <chris_hummel () hotmail com>]

Mike,

In this day in age, it has become increasingly difficult to wade through the 
vendor bs in an attempt to get an apples to apples comparision of the 
technology that drives the products.  Fortunately, there are other groups in 
this world who feel the same way and have taken matters into their own 
hands.  One of the best independent test and evaluation bodies for various 
security products is The NSS Group, based out of southern France (I 
believe).  After you locate their web site, find the latest online report 
for NIPS and see for yourself the amount of work that is put into their 
evaluations.  Some of the reports (online html version only) are free, but 
the vast majority are $100, which isn't that bad when you consider the total 
investment that your company is about to make.

Of course, if you prefer to do the testing yourself and also have a decent 
lab setup, locate the ISIC (IP Stack Integrity Checker) test tool and have 
some fun.  The NSS reports actually delves into the details of their testing 
methodology, so one could re-create that portion of the test.

Your last statement hints at signature detection in the attack packet versus 
it being spread out over the course of multiple packets (a TCP stream or IP 
fragments).  Once again, the NSS report dedicates an entire section to this 
type of activity.

Good luck,
-Chris

---------------------------------------------------------------------
From: "Mike Youngs" <myoungs () glenergy com>
To: <focus-ids () lists securityfocus com>
Subject: Juniper and ISS Protocol Anomaly Detection Evaluation
Date: Fri, 12 May 2006 11:05:47 -0400

Hello Everyone,

I am doing a network based intrusion detection and prevention system
evaluation, and have come across something I would like this groups
collective experience to give an opinion on.

For various reasons, we have settled on making a selection between the
Juniper IDP 600C and the ISS Proventia GX5008.  During our evaluation, we
have found that Juniper and ISS offer their protocol anomaly detection means
in much different ways.  What I would like to hear from this group is your
experience and insight with either product's protocol anomaly detection.  If
someone has insight and/or experience with both products, that will be that
much better.  I hope to find out if each vendor's protocol anomaly detection
features are essentially the same thing, or if one is superior over the 
other
and why, so I can make a more informed decision on this feature.

Another way to say it is, does "protocol anomaly detection" mean the same
thing to both vendors?  It appears that "attack pattern" means something
different to each vendor.  One considers in the actual string or pattern to
look for in a packet, and the other considers is it multiple events when
viewed as a whole could mean an attack on a system.

Any insight would be appreciated!  Thanks in advance,

Mike Youngs
Network Manager
Great Lakes Energy



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------