RE: Juniper and ISS Protocol Anomaly Detection Evaluation

["Biswas, Proneet" <pbiswas () ipolicynetworks com>]

Another key point to keep in mind while working on protocol anomalies is
the difference between anomalies like UDP checksum zero, which is a very
common phenomenon versus HTTP directory traversal like anomalies which
are sure signs of a person trying to exploit. Also keep in mind that
protocol anomalies whould be judged with respect to individual systems.
So,the security appliance should be provisioned with the granularity to
switch off the anomalies for a single/group of hosts.

Thanks
Proneet.

---------------------------------------------------------------
To have known the best, and to have known it for the best, is success in
life.


-----Original Message-----
From: Eric Hanselman [mailto:ehanselman () netscape net] 
Sent: Wednesday, May 17, 2006 2:17 PM
To: Steven.Williams () computershare com au
Cc: Reynolds, Wayne; Mike Youngs; focus-ids () lists securityfocus com
Subject: Re: Juniper and ISS Protocol Anomaly Detection Evaluation


Folks,

First off, I work for ISS.  While this certainly colors my perspective, 
I hope that I can add some value.

The Sentriant Security Appliance is a nice idea for managing security in

an Extreme switch today.  The detection is pretty limited, though.  If 
you need something to knock down worm propagation, it will do the trick 
at very high speed.  Extreme understands the limitations of the 
technology and that's why they have partnered with ISS in taking it to 
the next level by using ISS X-Force security info.  Check out the press 
announcements from Interop.  While this was a proof of concept that was 
demo'd, one might reasonably expect products around this in the 
not-too-distant future.

As to the question on the difference in ISS and Juniper's protocol 
anomaly detection, this seems to really miss the underlying security 
differences.  Protocol anomaly detection is a very small piece of 
protection.  While you should care if attackers are violating RFC's, 
it's much more important to determine how well your security provider 
detects higher level attacks.  Does the solution detect fragmented RPC 
attacks?  At what minimum fragment size?  The Juniper folks have some 
difficulties here.

A great test tool to prove all of this is Metasploit.  Fire up their WMF

exploit and see who catches it.

Bob Waldron at NSS is about to release the latest round (edition 4) of 
his test results.  If you can't do the testing yourself, contact him to 
see if you can purchase an early copy of the results.  He provides 
objective criteria and gives detailed analysis.

Hope that this helps.

- Eric

> -------------------------------------------------------------------
>  

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------