Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation

[Dmitry V Ushakov <ushakov () technoserv ru>]

Wayne,

I am really interested in your testing methodology then as when I 
performed similar analysis (though there was smaller IDP but it should not 
make sense as allof them run the same OS image, but what could is the ISS 
Network Sensor - a software version of the Proventia appliance) I would 
not give Netscreen a big preference. Though personally I would not vote 
for ISS as I do not like their Java-based SiteProtector but the "audit 
signatures" they are providing can be quite handy for some organizations 
whose goal is to monitor suspicious user activities.
Signature coverage turned out to quite the same with a couple of extra 
points going to ISS for better representation of alerts in the 
SiteProtector.

And Mike, if I understood correctly you are looking for a solution that 
would not only provide high performance but also be highly tunable with 
regard to "anomaly detection" whichever it means... and you are not 
decided yet.
If so I would recommend you looking at StoneGate IPS (www.stonesoft.com) 
their solution which includes a component called Analyzer allows creating 
customized "attack patterns" and thus control the triggering of IDS alarms 
only if certain sequence of events or a group of such events (i.e. packets 
or group of packets) have been seen. 
They also provide a good technical support.

Best regards, 
Dmitriy Ushakov.

Technical expert
Information Security Department
"TechnoServ A/S" Company 

"Reynolds, Wayne" <Wayne_Reynolds () condenast com> написано 15.05.2006 
20:01:19:

> Mike,
>
> We have already compared these two solutions in depth and ended up
> choosing Juniper.
>
> We already use NetScreens as our firewall solution and Juniper will be
> offering an IDP module for the NetScreens very shortly which will
> incorporate the IDP management within their pre-existing NSM console
> package.
>
> Personally, I found ISS' management console much more intuitive, but I
> felt that their tech support was severely lacking.  Their support team
> just never seemed interested in giving us any help.
>
> -Wayne
>
> ________________________________________
> Wayne D Reynolds
> Network Engineering and Security
> Conde Nast Publications
> mailto:wayne_reynolds () condenast com
>
>
>
> -----Original Message-----
> From: Mike Youngs [mailto:myoungs () glenergy com] 
> Sent: Friday, May 12, 2006 8:06 AM
> To: focus-ids () lists securityfocus com
> Subject: Juniper and ISS Protocol Anomaly Detection Evaluation
>
> Hello Everyone,
>
> I am doing a network based intrusion detection and prevention system
> evaluation, and have come across something I would like this groups
> collective experience to give an opinion on.
>
> For various reasons, we have settled on making a selection between the
> Juniper IDP 600C and the ISS Proventia GX5008.  During our evaluation,
> we
> have found that Juniper and ISS offer their protocol anomaly detection
> means
> in much different ways.  What I would like to hear from this group is
> your
> experience and insight with either product's protocol anomaly detection.
> If
> someone has insight and/or experience with both products, that will be
> that
> much better.  I hope to find out if each vendor's protocol anomaly
> detection
> features are essentially the same thing, or if one is superior over the
> other
> and why, so I can make a more informed decision on this feature.
>
> Another way to say it is, does "protocol anomaly detection" mean the
> same
> thing to both vendors?  It appears that "attack pattern" means something
> different to each vendor.  One considers in the actual string or pattern
> to
> look for in a packet, and the other considers is it multiple events when
> viewed as a whole could mean an attack on a system.
>
> Any insight would be appreciated!  Thanks in advance,
>
> Mike Youngs
> Network Manager
> Great Lakes Energy
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 

> to learn more.
> ------------------------------------------------------------------------