Re: IDS: RE: Network Intrusion Detection
John Mayer (jmayer@ods.com)
Tue, 23 Mar 1999 07:26:05 -0600
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
This is a multi-part message in MIME format.
--------------FDA7D332F9E40DFF8601A1F3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Corrected version
ODS Networks and ISS has been doing this for a year, (by the way it also
provides a FDDI and ATM IDS monitoring) and has a good track record with
customers. I would go with a company than can already provide a working
IDS Solution.
It's funny that the big boys are playing catch up with the little guy,
all Cisco and Nortel can say it that they're working on it!
Ask the hackers, crackers, and script kiddies to hold their attacks
until Cisco and Nortel ready!
Checkout http://www.ods.com
________________________________________________________________________>
> > Jerry,
> >
> > I've been told by Cisco that they're in planning stages for an
> > integration that would put NetRanger in a strategic logic location to
> > facilitate this - on a card resident in the router, I believe. I also read
> > that ISS is planning similar RealSecure capability in partnership with
> > Nortel. I'm pasting in the "InternetWeek" article to support this claim.
> > Good luck.
> >
> > InternetWeek Nov 23, 1998 p7(1)
> > ------------------------------
> > Security Spans Switch Ports
> > (Nortel Networks, Internet Security Systems
> > Inc will integrate ISS' RealSecure intrusion detection system with Nortel's
> > Passport 6000 switches )(Company Business and Marketing)
> >
> > Author
> > Yasin, Rutrell
> >
> > Full Text
> > Internet Security Systems Inc. and Nortel
> > Networks are working together to give IT managers products that can detect
> > and respond to attacks across switched networks with a single tool.
> >
> > The companies last week said they will
> > integrate ISS' RealSecure intrusion detection system with Nortel's Passport
> > 6000 switches to give IT managers stronger end-to-end network security
> > mechanisms.
> >
> > Processing Power
> >
> > Their alliance is meant to overcome a
> > limitation that's common to widely used network security products: Intrusion
> > detection systems typically have limited processing capacity to analyze the
> > large IP data streams moving through switch ports. As a result, IT managers
> > have been forced to place an intrusion detection engine on every segment or
> > switch port to exert tighter control. But this can be an expensive and
> > cumbersome task.
> >
> > The ISS/Nortel pact, however, will let
> > Nortel users monitor all traffic through the switch with a single RealSecure
> > engine.
> >
> > That's because ISS and Nortel are developing
> > links between RealSecure and NetSentry, which is Passport software that
> > views packets coming through all switch ports. NetSentry can send copies of
> > all packets to an external RealSecure engine, according to Charles Meyers,
> > ISS' vice president of corporate and business development. IT managers can
> > then "see traffic in multiple switch ports, [whereas before] they could only
> > see one segment at a time," he said.
> >
> > Network administrators welcome any security
> > tools that give them a better view of traffic in switched networks.
> >
> > "There's a larger need for something that
> > gathers information across switched ports and VLANs," said Tony Brocato, a
> > senior systems engineer at the Injured Workers Insurance Fund, a user of
> > Cabletron switches.
> >
> > "In a switched environment, you cannot
> > detect intrusions on switch ports unless you are on that port," Brocato
> > said. RMON agent software can be placed on ports to give IT managers some
> > sense of where traffic is coming from and its destination, but there's still
> > a need for tools that "allow [an IT manager] to see what's going on," he
> > said.
> >
> > A bundled software product is slated to
> > debut during the first quarter of 1999, Meyers said. Deeper integration will
> > come in the second half of the year when RealSecure is incorporated into the
> > backplane of Passport switches-essentially making intrusion detection an
> > integral part of the switch.
> >
> > This higher level of integration will be
> > generic enough so other network vendors can incorporate intrusion detection
> > into their products, according to Meyers.
> >
> > The Nortel pact is part of the Adaptive
> > Network Security Alliance that ISS launched last month.
> >
> > Backed by 40 vendors-including Compaq,
> > Hewlett-Packard and 3Com-the alliance will provide users with tools to
> > respond to security breaches quickly and efficiently.
> >
> > SECURING SWITCHED NETWORKS
> >
> > The fusion between ISS's RealSecure
> > intrusion detection system and Nortel's Passport product line will let
> > Nortel users monitor their switched networks for suspicious activity.
> > Details:
> >
> > Q1 1999
> >
> > Vendors will ship a bundled software product
> > that detects attacks from any and all switch ports
> >
> > Q4 1999
> >
> > Tighter integration embeds intrusion
> > detection technology within switched networks
> >
> > Source: ISS
> >
> > Copyright (c) 1998 CMP Media Inc.
> >
> > ------------------------------
> > Company
> > Internet Security Systems Inc.
> > Northern Telecom Ltd.
> >
> > Product
> > RealSecure (Network security software)
> > Northern Telecom Magellan Passport (Network
> > switch)
> >
> > Topic
> > Company licensing agreement
> > Network security software
> > Network switch
> >
> > ******************************
> > Security Spans Switch Ports
> > InternetWeek: Nov 23, 1998
> > COPYRIGHT 1998 CMP Publications, Inc.
> > ******************************
> >
> > -- Jay
> >
> > > -----Original Message-----
> > > From: Jerry Dixon Jr [SMTP:jerry@jdixon.com]
> > > Sent: Saturday, March 20, 1999 8:59 AM
> > > To: Ids
> > > Subject: IDS: Network Intrusion Detection
> > > --------------------------------------------------------------------------
> > > -
> > >
> > > Well since the list is starting to show signs of life I figured I'll
> > > fire something off ;-)
> > >
> > > Basically I've begun to evaluate IDS products....the problem that we
> > > are seeing is that we are in the world of fast ethernet and a switched
> > > topology with multiple VLANS. These two things do not work well with
> > > trying to implement an IDS product without getting a box for every
> > > broadcast domain (essentially a segment). My question is does anyone
> > > know of a solution that would not be cost prohibitive in this
> > > environment and one that would not degrade performance as well. We're
> > > looking at RealSecure, Network Ranger, and CyberCop. Any input or
> > > insight would be greatly beneficial to our analysis of IDS.
> > > I also go ahead and throw this into the arena...we're utilizing Kane
> > > for our NT Environment for Host Level IDS but the problem we run into
> > > is that it is consistently two to three days behind churning through
> > > all the logs. We have a very large scale NT environment and it is
> > > only going to continue to grow. What we are thinking about doing is
> > > setting up multiple auditor servers to try and split the load up.
> > >
> > > Jerry
>
> ------------------------------------------------------------------------
>
> John Mayer <jmayer@ods.com>
> System Engineer
> ODS Networks
>
> John Mayer
> System Engineer <jmayer@ods.com>
> ODS Networks
> 3800 N. Wilke Rd. Work: 847-818-1868
> Suite 300 Fax: 847-818-1996
> Arlington Heights Netscape Conference Address
> IL Netscape Conference DLS Server
> 60004
> USA
> http://www.ods.com
> Additional Information:
> Last Name Mayer
> First Name John
> Version 2.1
--------------FDA7D332F9E40DFF8601A1F3
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Mayer, John
Content-Disposition: attachment; filename="vcard.vcf"
begin: vcard
fn: John Mayer
n: Mayer;John
org: ODS Networks
adr: 3800 N. Wilke Rd. ;;Suite 300;Arlington Heights;IL;60004;USA
email;internet: jmayer@ods.com
title: System Engineer
tel;work: 847-818-1868
tel;fax: 847-818-1996
note: http://www.ods.com
x-mozilla-cpt: ;0
x-mozilla-html: FALSE
version: 2.1
end: vcard
--------------FDA7D332F9E40DFF8601A1F3--