Intrusion Detection Systems: Re: RE: Info needed to compare Axent ITA and ISS RealSecure

[gshipley () neohapsis com (Greg Shipley)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
At 03:03 PM 7/6/00 -0500, Thomas H. Ptacek wrote:
> On Wed, Jul 05, 2000 at 07:23:18PM -0500, Greg Shipley wrote:
> > - While everyone always jumps all over my butt about not asking about
> > other TCP/session/stream problems NIDS face, this is usually a good acid
> > test: Does NetProwler v3.5 do frag re-assembly?
> How is this a good acid test? Wouldn't a better, simpler, less technical
> acid test be whether it can be circumvented with something like
> fragrouter (which performs multiple tests and provides a marketing-proof
> true/false answer rather than a bullet-point feature claim)?
>
> It's been, what, 3 years now, and we can still walk right through most (if
> not all) of these systems. Doesn't this indicate that our testing
> methodology is flawed?
>
> Sorry for the rare outburst. Your question ("does it do frag reassembly")
> is NOT the same as "is it immune to fragrouter".
Hey!  I thought you weren't hanging out in this scene anymore!  :)

*YOU*, SPECIFICALLY, are the person I was referring to in my "everyone 
jumps all over my butt" statement, and then you come out of the woodwork 
and zing me on it.  Damn it.  I thought I was safe from you on this 
list.  Crap - foiled again!  :)

Ok, let me clarify - I ask "the" question (and know that I always verify 
the answer with fragrouter - I've had ISS try and BS me before) because it 
separates the men from the boys.  Case in point: turn back the dial to June 
of 1999 when I was ramping up my last round of tests.  The players:

- Axent
- ISS
- NSW
- NFR
- NetworkICE
- CyberSafe
- Cisco

Only three of them did frag re-assembly (NFR, Dragon (NSW), and 
BlackICE).  Ok, ok, I *know* there are more problems then just IP 
fragmentation re-assembly.  HOWEVER, out of those three ALL THREE were 
either addressing many of the other problems, or working on the other 
problems, or at least CONSCIOUS of the other problems.

The "frag question" is not a litmus test of whether or not the vendor has 
the best and strongest NIDS.  Fragrouter tests, IMHO, are not the end-all 
test either.  But the question DOES seem to separate those that are DEALING 
WITH and ADDRESSING some of the issues from those that have been flat-out 
ignoring them.  Do you see where I'm coming from?

It's a starting point, and has been an easy separator.  Maybe I need to 
move on this year with some more strict/detailed comparisons....we'll see.

As a side note, in my testing with fragrouter simple fragmentation (the B1 
switch?  Shite - I forget, I'm away from my equipment right now) almost 
ALWAYS gets interpreted properly by the end (read: target) node.  HOWEVER, 
some of those other packet mangling and sequencing tricks DO NOT.  I 
repeat, NOT ALL HOSTS re-assemble/construct/sequence those other fragrouter 
techniques properly, therefore you render the attack and the communication 
useless...but that's beyond the scope of this e-mail (but an interesting 
topic, none the less) so let me leave this alone for now.

My short answer is: you are right, the frag re-assembly question is not the 
end-all litmus test.  But it has been one that I've been able to easily use 
for the past two and a half years.  BELIEVE ME, for the sake of the whole 
IDS scene, I hope this "test" becomes obsolete soon.

Make sense?

So, the question still remains: does NetProwler do frag re-assembly in 
v3.5?:)

Thanks,

-Greg