Re: IDS: Security assessment tools
Lister, Justin (justin.lister@csfb.com)
Sun, 11 Apr 1999 12:01:03 +0900
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
> From: dnewman@cmp.com
> Received: from NotesSMTP-01.cmp.com (gw59-84.cmp.com [192.155.59.84])
> by vulcan.cmp.com (8.9.1/8.9.1) with SMTP id LAA04897;
> Sat, 10 Apr 1999 11:26:13 -0400 (EDT)
> Received: by NotesSMTP-01.cmp.com(Lotus SMTP MTA v4.6.3 (733.2
> 10-16-1998)) id 8525674F.0054BBF5 ; Sat, 10 Apr 1999 11:25:31 -0400
> X-Lotus-FromDomain: CMPNOTES
> To: Robert Graham <robert_david_graham@yahoo.com>
> cc: bkho@umac.mo, ids@uow.edu.au
> Message-ID: <8525674F.0054BA60.00@NotesSMTP-01.cmp.com>
> Date: Sat, 10 Apr 1999 09:46:48 -0400
> Subject: Re: IDS: Security assessment tools
> Mime-Version: 1.0
> Content-type: text/plain; charset=us-ascii
> Content-Disposition: inline
>
>
> As the author of that Data Comm article, I feel compelled to speak up for
> both
> NFR and RealSecure:
>
> --NFR can detect an infinite number of attack signatures. The catch is
> that
> users have to write the detection routines themselves. NFR resellers (like
> Anzen
> Computing, for example) have made a nice business out of developing their
> own
> canned routines and bundling these with NFR.
>
> --Realsecure is only as fast as the driver it sits on. ISS does have
> reseller
> agreements with a number of box makers, and it may be possible to boost
> Realsecure's detection rate by having the switch filter on some known
> characteristic (TCP port number, say) before passing traffic to a spy port
> and
> then on to Realsecure.
>
> But spy ports are a kludgy solution. I completely agree with your main
> observation that point probes are, well, pointless in switched networks.
> I'd
> love to see more IDS vendors get their code embedded in the ASICs of
> switches.
> Switches from ODS are there already and it would be great to see others.
>
> Regards,
> David Newman
> Data Communications magazine
>
>
>
>
>
> Robert Graham <robert_david_graham@yahoo.com> on 04/09/99 04:36:55 PM
>
> To: bkho@umac.mo, ids@uow.edu.au
> cc:
> bcc: David Newman/NYC/CMPNotes
> Subject: Re: IDS: Security assessment tools
>
>
>
>
> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it will be
> filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------------------
> -
>
>
> --- bkho@umac.mo wrote:
> >
> > I saw someone wrote that:
> >
> > "... To keep an eye on data running over our network, we primarily use
> ISS's
> > Real Secure. It watches the network for certain attack signature,.....
> Now
> there
> > is one problem that could arise by using RealSecure. Obviously, what
> it's
> doing
> > is throwing the interface card into promiscuous mode, and sniffing the
> network.
> > Now this works just fine if you're using a standard hub, but if you're
> using
> > switched hub (which prevents sniffing, which is a good thing),
> RealSecure is
> > useless. So, what we did was get an HPSwitch, which will allow switching
> for
> > every port, except a "Master Port" which can be configured to receive
> all
> data.
> > So, the only machine on our network which can sniff, is the network
> monitoring
> > station. Another alternative to this would be to set up a sort of switch
> DMZ
> > (de-militarized zone), where the data coming in from your router would
> to to a
> > primary un-switched hub, ......."
>
> The lab tests by DataComm magazine
> http://www.data.com/lab_tests/intrusion.html
> show that
> RealSecure was completely overloaded/blind at data rates at 40-Mbps.
> Switch
> backplanes often run
> at hundreds of megabites per second. Since these monitor/span ports are
> only
> 100-Mbps, they must
> discard lots of traffic before passing it to RealSecure, and even then,
> RealSecure can't handle
> the full load. The best probe in that review that kept up with traffic was
> the
> NFR-based Anzen
> probe, but it only supports a tiny fraction of the signatures that
> RealSecure
> detects.
>
> It is a well known problem in the industry that intrusion detection
> "probes" are
> not a good
> solution for switched environments.
>
> Rob.
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
>
>