IDS: RE: Network Intrusion Detection
Schwitzgebel, Jay CPC01 (Jay.Schwitzgebel@CIGNA.COM)
Mon, 22 Mar 1999 09:41:39 -0500
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
Jerry,
I've been told by Cisco that they're in planning stages for an
integration that would put NetRanger in a strategic logic location to
facilitate this - on a card resident in the router, I believe. I also read
that ISS is planning similar RealSecure capability in partnership with
Nortel. I'm pasting in the "InternetWeek" article to support this claim.
Good luck.
InternetWeek Nov 23, 1998 p7(1)
------------------------------
Security Spans Switch Ports
(Nortel Networks, Internet Security Systems
Inc will integrate ISS' RealSecure intrusion detection system with Nortel's
Passport 6000 switches )(Company Business and Marketing)
Author
Yasin, Rutrell
Full Text
Internet Security Systems Inc. and Nortel
Networks are working together to give IT managers products that can detect
and respond to attacks across switched networks with a single tool.
The companies last week said they will
integrate ISS' RealSecure intrusion detection system with Nortel's Passport
6000 switches to give IT managers stronger end-to-end network security
mechanisms.
Processing Power
Their alliance is meant to overcome a
limitation that's common to widely used network security products: Intrusion
detection systems typically have limited processing capacity to analyze the
large IP data streams moving through switch ports. As a result, IT managers
have been forced to place an intrusion detection engine on every segment or
switch port to exert tighter control. But this can be an expensive and
cumbersome task.
The ISS/Nortel pact, however, will let
Nortel users monitor all traffic through the switch with a single RealSecure
engine.
That's because ISS and Nortel are developing
links between RealSecure and NetSentry, which is Passport software that
views packets coming through all switch ports. NetSentry can send copies of
all packets to an external RealSecure engine, according to Charles Meyers,
ISS' vice president of corporate and business development. IT managers can
then "see traffic in multiple switch ports, [whereas before] they could only
see one segment at a time," he said.
Network administrators welcome any security
tools that give them a better view of traffic in switched networks.
"There's a larger need for something that
gathers information across switched ports and VLANs," said Tony Brocato, a
senior systems engineer at the Injured Workers Insurance Fund, a user of
Cabletron switches.
"In a switched environment, you cannot
detect intrusions on switch ports unless you are on that port," Brocato
said. RMON agent software can be placed on ports to give IT managers some
sense of where traffic is coming from and its destination, but there's still
a need for tools that "allow [an IT manager] to see what's going on," he
said.
A bundled software product is slated to
debut during the first quarter of 1999, Meyers said. Deeper integration will
come in the second half of the year when RealSecure is incorporated into the
backplane of Passport switches-essentially making intrusion detection an
integral part of the switch.
This higher level of integration will be
generic enough so other network vendors can incorporate intrusion detection
into their products, according to Meyers.
The Nortel pact is part of the Adaptive
Network Security Alliance that ISS launched last month.
Backed by 40 vendors-including Compaq,
Hewlett-Packard and 3Com-the alliance will provide users with tools to
respond to security breaches quickly and efficiently.
SECURING SWITCHED NETWORKS
The fusion between ISS's RealSecure
intrusion detection system and Nortel's Passport product line will let
Nortel users monitor their switched networks for suspicious activity.
Details:
Q1 1999
Vendors will ship a bundled software product
that detects attacks from any and all switch ports
Q4 1999
Tighter integration embeds intrusion
detection technology within switched networks
Source: ISS
Copyright (c) 1998 CMP Media Inc.
------------------------------
Company
Internet Security Systems Inc.
Northern Telecom Ltd.
Product
RealSecure (Network security software)
Northern Telecom Magellan Passport (Network
switch)
Topic
Company licensing agreement
Network security software
Network switch
******************************
Security Spans Switch Ports
InternetWeek: Nov 23, 1998
COPYRIGHT 1998 CMP Publications, Inc.
******************************
-- Jay
> -----Original Message-----
> From: Jerry Dixon Jr [SMTP:jerry@jdixon.com]
> Sent: Saturday, March 20, 1999 8:59 AM
> To: Ids
> Subject: IDS: Network Intrusion Detection
> --------------------------------------------------------------------------
> -
>
> Well since the list is starting to show signs of life I figured I'll
> fire something off ;-)
>
> Basically I've begun to evaluate IDS products....the problem that we
> are seeing is that we are in the world of fast ethernet and a switched
> topology with multiple VLANS. These two things do not work well with
> trying to implement an IDS product without getting a box for every
> broadcast domain (essentially a segment). My question is does anyone
> know of a solution that would not be cost prohibitive in this
> environment and one that would not degrade performance as well. We're
> looking at RealSecure, Network Ranger, and CyberCop. Any input or
> insight would be greatly beneficial to our analysis of IDS.
> I also go ahead and throw this into the arena...we're utilizing Kane
> for our NT Environment for Host Level IDS but the problem we run into
> is that it is consistently two to three days behind churning through
> all the logs. We have a very large scale NT environment and it is
> only going to continue to grow. What we are thinking about doing is
> setting up multiple auditor servers to try and split the load up.
>
> Jerry