FAQ: See http://www.ticm.com/kb/faq/idsfaq.html IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems.. Then email questions to ids-owner@uow.edu.au NOTE: You MUST remove this line from reply messages as it will be filtered. SPAM: DO NOT send unsolicted mail to this list. USUB: email "unsubscribe ids" to majordomo@uow.edu.au --------------------------------------------------------------------------- > From: dnewman@cmp.com > Received: from NotesSMTP-01.cmp.com (gw59-84.cmp.com [192.155.59.84]) > by vulcan.cmp.com (8.9.1/8.9.1) with SMTP id LAA04897; > Sat, 10 Apr 1999 11:26:13 -0400 (EDT) > Received: by NotesSMTP-01.cmp.com(Lotus SMTP MTA v4.6.3 (733.2 > 10-16-1998)) id 8525674F.0054BBF5 ; Sat, 10 Apr 1999 11:25:31 -0400 > X-Lotus-FromDomain: CMPNOTES > To: Robert Graham <robert_david_graham@yahoo.com> > cc: bkho@umac.mo, ids@uow.edu.au > Message-ID: <8525674F.0054BA60.00@NotesSMTP-01.cmp.com> > Date: Sat, 10 Apr 1999 09:46:48 -0400 > Subject: Re: IDS: Security assessment tools > Mime-Version: 1.0 > Content-type: text/plain; charset=us-ascii > Content-Disposition: inline > > > As the author of that Data Comm article, I feel compelled to speak up for > both > NFR and RealSecure: > > --NFR can detect an infinite number of attack signatures. The catch is > that > users have to write the detection routines themselves. NFR resellers (like > Anzen > Computing, for example) have made a nice business out of developing their > own > canned routines and bundling these with NFR. > > --Realsecure is only as fast as the driver it sits on. ISS does have > reseller > agreements with a number of box makers, and it may be possible to boost > Realsecure's detection rate by having the switch filter on some known > characteristic (TCP port number, say) before passing traffic to a spy port > and > then on to Realsecure. > > But spy ports are a kludgy solution. I completely agree with your main > observation that point probes are, well, pointless in switched networks. > I'd > love to see more IDS vendors get their code embedded in the ASICs of > switches. > Switches from ODS are there already and it would be great to see others. > > Regards, > David Newman > Data Communications magazine > > > > > > Robert Graham <robert_david_graham@yahoo.com> on 04/09/99 04:36:55 PM > > To: bkho@umac.mo, ids@uow.edu.au > cc: > bcc: David Newman/NYC/CMPNotes > Subject: Re: IDS: Security assessment tools > > > > > FAQ: See http://www.ticm.com/kb/faq/idsfaq.html > IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html > HELP: Having problems.. Then email questions to ids-owner@uow.edu.au > NOTE: You MUST remove this line from reply messages as it will be > filtered. > SPAM: DO NOT send unsolicted mail to this list. > USUB: email "unsubscribe ids" to majordomo@uow.edu.au > -------------------------------------------------------------------------- > - > > > --- bkho@umac.mo wrote: > > > > I saw someone wrote that: > > > > "... To keep an eye on data running over our network, we primarily use > ISS's > > Real Secure. It watches the network for certain attack signature,..... > Now > there > > is one problem that could arise by using RealSecure. Obviously, what > it's > doing > > is throwing the interface card into promiscuous mode, and sniffing the > network. > > Now this works just fine if you're using a standard hub, but if you're > using > > switched hub (which prevents sniffing, which is a good thing), > RealSecure is > > useless. So, what we did was get an HPSwitch, which will allow switching > for > > every port, except a "Master Port" which can be configured to receive > all > data. > > So, the only machine on our network which can sniff, is the network > monitoring > > station. Another alternative to this would be to set up a sort of switch > DMZ > > (de-militarized zone), where the data coming in from your router would > to to a > > primary un-switched hub, ......." > > The lab tests by DataComm magazine > http://www.data.com/lab_tests/intrusion.html > show that > RealSecure was completely overloaded/blind at data rates at 40-Mbps. > Switch > backplanes often run > at hundreds of megabites per second. Since these monitor/span ports are > only > 100-Mbps, they must > discard lots of traffic before passing it to RealSecure, and even then, > RealSecure can't handle > the full load. The best probe in that review that kept up with traffic was > the > NFR-based Anzen > probe, but it only supports a tiny fraction of the signatures that > RealSecure > detects. > > It is a well known problem in the industry that intrusion detection > "probes" are > not a good > solution for switched environments. > > Rob. > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > >