IDS mailing list archives
Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation
From: Dmitry V Ushakov <ushakov () technoserv ru>
Date: Tue, 16 May 2006 11:16:12 +0400
Wayne, I am really interested in your testing methodology then as when I performed similar analysis (though there was smaller IDP but it should not make sense as allof them run the same OS image, but what could is the ISS Network Sensor - a software version of the Proventia appliance) I would not give Netscreen a big preference. Though personally I would not vote for ISS as I do not like their Java-based SiteProtector but the "audit signatures" they are providing can be quite handy for some organizations whose goal is to monitor suspicious user activities. Signature coverage turned out to quite the same with a couple of extra points going to ISS for better representation of alerts in the SiteProtector. And Mike, if I understood correctly you are looking for a solution that would not only provide high performance but also be highly tunable with regard to "anomaly detection" whichever it means... and you are not decided yet. If so I would recommend you looking at StoneGate IPS (www.stonesoft.com) their solution which includes a component called Analyzer allows creating customized "attack patterns" and thus control the triggering of IDS alarms only if certain sequence of events or a group of such events (i.e. packets or group of packets) have been seen. They also provide a good technical support. Best regards, Dmitriy Ushakov. Technical expert Information Security Department "TechnoServ A/S" Company "Reynolds, Wayne" <Wayne_Reynolds () condenast com> написано 15.05.2006 20:01:19:
Mike, We have already compared these two solutions in depth and ended up choosing Juniper. We already use NetScreens as our firewall solution and Juniper will be offering an IDP module for the NetScreens very shortly which will incorporate the IDP management within their pre-existing NSM console package. Personally, I found ISS' management console much more intuitive, but I felt that their tech support was severely lacking. Their support team just never seemed interested in giving us any help. -Wayne ________________________________________ Wayne D Reynolds Network Engineering and Security Conde Nast Publications mailto:wayne_reynolds () condenast com -----Original Message----- From: Mike Youngs [mailto:myoungs () glenergy com] Sent: Friday, May 12, 2006 8:06 AM To: focus-ids () lists securityfocus com Subject: Juniper and ISS Protocol Anomaly Detection Evaluation Hello Everyone, I am doing a network based intrusion detection and prevention system evaluation, and have come across something I would like this groups collective experience to give an opinion on. For various reasons, we have settled on making a selection between the Juniper IDP 600C and the ISS Proventia GX5008. During our evaluation, we have found that Juniper and ISS offer their protocol anomaly detection means in much different ways. What I would like to hear from this group is your experience and insight with either product's protocol anomaly detection. If someone has insight and/or experience with both products, that will be that much better. I hope to find out if each vendor's protocol anomaly detection features are essentially the same thing, or if one is superior over the other and why, so I can make a more informed decision on this feature. Another way to say it is, does "protocol anomaly detection" mean the same thing to both vendors? It appears that "attack pattern" means something different to each vendor. One considers in the actual string or pattern to look for in a packet, and the other considers is it multiple events when viewed as a whole could mean an attack on a system. Any insight would be appreciated! Thanks in advance, Mike Youngs Network Manager Great Lakes Energy ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more. ------------------------------------------------------------------------
Current thread:
- Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Dmitry V Ushakov (May 16)