Re: Ids evaluation

ajm (cso@intacc.net)
Wed, 07 Jun 1995 19:31:46 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dr. Frederick B. Cohen: "no subject (file transmission)"
Previous message: Aziz MOUNJI: "IDS conferences"
Maybe in reply to: Sacherich, Larry: "Ids evaluation"
Next in thread: tlunt@ARPA.MIL: "Re: Ids evaluation"

>I want to buy and install an intrusion detection system.  Our purchasing
>department is telling me that I have to provide a list of specifications for an
>intrusion detection system that can be used to evaluate the features of
>competing products.  Given the little I know of the different approaches that
>IDS systems use, this seems a difficult task.  From time to time I have been
>surprised by the high levels of ability of people posting on this list and I
>think that some of them must have been through this evaluation process before.
>
>Can anyone e-mail me a starting point for evaluation specifications please, or
>point me to a good source?
>
>                                        Brian Smith, DOS Dummy
>
I am familiar with 2 commercial products: Stalker by Haystack Labs
                                          CMDS by SAIC

These two products are quite different in how they work and how you would I
would use them. Haystack Labs is a small startup which, right now, will live
or die based on the success of Stalker. CMDS is the product of a a large
international entity--if it doesn't do well it may be dropped. 

Specifications should start with your requirements:
        - What platform must it run on
        - What price can you accept
        - How much do you trust your network?
            Can you accept NFSing of the audit logs to the audit server(Stalker)
            Do you need encryption of the audit logs as they are sent to audit
                        server (CMDS now I believe, future for Stalker)
        - Do you want an easy to use GUI interface to handle audit log
management (Stalker--very nice!)
        - Do you need realtime alerts (CMDS has a few, Stalker will add this)
        - What is the cost of maintenance
        - Do you need to integrate your own security events (Stalker can do
this)

Probably the most important issue is what approach do you believe in?
            CMDS uses statistical analysis to detect anomalies in
activity--if the attack is direct and overt it should be easy to see in the
graphs CMDS presents you with.

            Stalker has a large encrypted database of typical hacks or
system misuse which they apply to the logs you select. You then get a
reduced list of what security events which should be investigated.

2 very different approaches so you probably should get to know these and any
other products better before you try to specify. I had them in on trial for
a few days first.

Andrew Mackie

|======================    Access Provided By:   ===========================|
| Internet Access Inc.      voice (613) 225-5595   info@intacc.net for info |
| Providing all levels of access to the internet.                           |
|===========================================================================|

Next message: Dr. Frederick B. Cohen: "no subject (file transmission)"
Previous message: Aziz MOUNJI: "IDS conferences"
Maybe in reply to: Sacherich, Larry: "Ids evaluation"
Next in thread: tlunt@ARPA.MIL: "Re: Ids evaluation"