IDS mailing list archives
RE: Juniper and ISS Protocol Anomaly Detection Evaluation
From: "Biswas, Proneet" <pbiswas () ipolicynetworks com>
Date: Thu, 18 May 2006 14:26:02 -0700
Another key point to keep in mind while working on protocol anomalies is the difference between anomalies like UDP checksum zero, which is a very common phenomenon versus HTTP directory traversal like anomalies which are sure signs of a person trying to exploit. Also keep in mind that protocol anomalies whould be judged with respect to individual systems. So,the security appliance should be provisioned with the granularity to switch off the anomalies for a single/group of hosts. Thanks Proneet. --------------------------------------------------------------- To have known the best, and to have known it for the best, is success in life. -----Original Message----- From: Eric Hanselman [mailto:ehanselman () netscape net] Sent: Wednesday, May 17, 2006 2:17 PM To: Steven.Williams () computershare com au Cc: Reynolds, Wayne; Mike Youngs; focus-ids () lists securityfocus com Subject: Re: Juniper and ISS Protocol Anomaly Detection Evaluation Folks, First off, I work for ISS. While this certainly colors my perspective, I hope that I can add some value. The Sentriant Security Appliance is a nice idea for managing security in an Extreme switch today. The detection is pretty limited, though. If you need something to knock down worm propagation, it will do the trick at very high speed. Extreme understands the limitations of the technology and that's why they have partnered with ISS in taking it to the next level by using ISS X-Force security info. Check out the press announcements from Interop. While this was a proof of concept that was demo'd, one might reasonably expect products around this in the not-too-distant future. As to the question on the difference in ISS and Juniper's protocol anomaly detection, this seems to really miss the underlying security differences. Protocol anomaly detection is a very small piece of protection. While you should care if attackers are violating RFC's, it's much more important to determine how well your security provider detects higher level attacks. Does the solution detect fragmented RPC attacks? At what minimum fragment size? The Juniper folks have some difficulties here. A great test tool to prove all of this is Metasploit. Fire up their WMF exploit and see who catches it. Bob Waldron at NSS is about to release the latest round (edition 4) of his test results. If you can't do the testing yourself, contact him to see if you can purchase an early copy of the results. He provides objective criteria and gives detailed analysis. Hope that this helps. - Eric
-------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Juniper and ISS Protocol Anomaly Detection Evaluation Mike Youngs (May 15)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Chris Hummel (May 16)
- Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Dmitry V Ushakov (May 17)
- RE: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Security Focus (May 18)
- Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation Dmitry V Ushakov (May 17)
- <Possible follow-ups>
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Reynolds, Wayne (May 15)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Compton, Rich (May 16)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Steven Williams (May 16)
- Re: Juniper and ISS Protocol Anomaly Detection Evaluation Stefano Zanero (May 18)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Biswas, Proneet (May 19)
- Re: Juniper and ISS Protocol Anomaly Detection Evaluation Eric Hanselman (May 18)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Biswas, Proneet (May 19)
- Re: Juniper and ISS Protocol Anomaly Detection Evaluation Stefano Zanero (May 18)
- RE: Juniper and ISS Protocol Anomaly Detection Evaluation Chris Hummel (May 16)