Re: IDS: Security assessment tools

Robert Graham (robert_david_graham@yahoo.com)
Fri, 9 Apr 1999 13:36:55 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Lister, Justin: "RE: IDS: Security assessment tools"
Previous message: Mahankali, Sridhar: "RE: IDS: Security assessment tools"
Maybe in reply to: Carric Dooley: "IDS: Security assessment tools"
Next in thread: Lister, Justin: "Re: IDS: Security assessment tools"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

--- bkho@umac.mo wrote:
> 
> I saw someone wrote that:
> 
> "... To keep an eye on data running over our network, we primarily use ISS's
> Real Secure. It watches the network for certain attack signature,..... Now there
> is one problem that could arise by using RealSecure. Obviously, what it's doing
> is throwing the interface card into promiscuous mode, and sniffing the network.
> Now this works just fine if you're using a standard hub, but if you're using
> switched hub (which prevents sniffing, which is a good thing), RealSecure is
> useless. So, what we did was get an HPSwitch, which will allow switching for
> every port, except a "Master Port" which can be configured to receive all data.
> So, the only machine on our network which can sniff, is the network monitoring
> station. Another alternative to this would be to set up a sort of switch DMZ
> (de-militarized zone), where the data coming in from your router would to to a
> primary un-switched hub, ......."

The lab tests by DataComm magazine http://www.data.com/lab_tests/intrusion.html show that
RealSecure was completely overloaded/blind at data rates at 40-Mbps. Switch backplanes often run
at hundreds of megabites per second. Since these monitor/span ports are only 100-Mbps, they must
discard lots of traffic before passing it to RealSecure, and even then, RealSecure can't handle
the full load. The best probe in that review that kept up with traffic was the NFR-based Anzen
probe, but it only supports a tiny fraction of the signatures that RealSecure detects.

It is a well known problem in the industry that intrusion detection "probes" are not a good
solution for switched environments.

Rob.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Lister, Justin: "RE: IDS: Security assessment tools"
Previous message: Mahankali, Sridhar: "RE: IDS: Security assessment tools"
Maybe in reply to: Carric Dooley: "IDS: Security assessment tools"
Next in thread: Lister, Justin: "Re: IDS: Security assessment tools"