Intrusion Detection Systems: RE: Ramping up for another review

[CKlaus () iss net (Klaus, Chris (ISSAtlanta))]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Greg,

Disclaimer: I work for Internet Security Systems.  :-)

RS 5.0 is off to the CD presses.  You will probably want to get a copy of
that.  I'm sure our RS team will help you in anyway possible.  RS 5.0 gets
RealSecure the ability for rapid updates of new attack signatures (X-Press
Updates), additional RS host agents for HPUX and AIX, and fixes the
fragrouter test issues.

We are starting to integrate the policy enforcement technology (our
scanners) into IDS.  For example, Internet Scanner 6.1 scans for backdoors
and when detects policy violation, it sends an alert to the RS console as
part of the overall solution.  Correlating and combining the IDS and VA
(vulnerability assessment) data into a single view is critical for overall
security risk management.

We have several additional products for IDS that you may want to consider in
your review:
Checkpoint RealSecure - leverages FW-1 & OPSEC features.
RS Nokia Appliance (shipping end of this month).
RS HP Openview and RS Tivoli (shipping now).

Some questions for the review:
How well do each IDS solutions integrate both host and network IDS together?
How well do each IDS solutions integrate into system and network mgt
frameworks?

Glad to see you indicated you will be including Decisions.  This is really
more than an IDS solution, its two key components, 1) a centralized
consolidated enterprise security repository database (ORCL or MSSQL) with
input agents from IDS, firewalls, Unix/NT logs, scanners, PKI, etc and 2)
analysis application with automatic report generation and interactive web
query interface.  Deploying this across a large network requires more
effort, as its really geared towards enterprises.  As companies are
beginning to collect all their security data into centralized repositories,
where the collected data can easily become gigabytes, having a DBA (database
admin) on the security team becomes useful, both for tuning the performance
of the database and for protecting all the e-biz application databases
(which are usually wide open!).  But having this capability is given many
companies the insight to what's happening at a macrolevel to make good
security decisions, as well as, some industries like the financial industry
have a legal obligation to keep their security logs for some amount of time.

IDS is very difficult to implement and operationalize successfully,
especially for the first time customer. We are seeing a trend where a
growing number of customers expect more than just technology from a security
vendor.  They are looking for a full solution from their security partner.
You may want to cover some key attributes to look for from a security
partner:

Do they have a dedicated security research team?
Do they offer additional technology for security risk management beyond IDS?
Do they offer security classes on IDS and additional security areas?
Do they offer consulting for strategic design and deployment of an IDS
solution?
Do they offer Emergency Response Services (911) incase of an attack and
compromise?
Do they offer managed security services (where firewalls & IDS is remotely
monitored)with SOC's (security operation centers)?
Do they offer hacker insurance coverage to further protect your e-business
infrastructure?

For a multi-national company buying IDS, does your security partner have a
local presence and office in key regions to help support and localize the
technology?  For example, not alot of people speak English in China and
Japan, so converting IDS output and manuals to kanji helps support the local
branches there.

Before you deploy IDS, we recommend starting with a security assessment to
not only find out how well is your security and start to fix all the major
gaping holes in your network, but it helps determine the best locations for
IDS sensors. Does your security partner offer security assessments and
penetration tests as part of the solution? We now have over 100+ ISS
consultants in the field and hiring rapidly to keep up with the security
assessment demand.

Not sure if you want to go beyond the scope of pure technology, but these
are some of the things that a buyer may want to consider when they look for
an IDS solution.

Good luck.
chris

> -----Original Message-----
> From: Greg Shipley [mailto:gshipley () neohapsis com]
> Sent: Wednesday, July 05, 2000 7:43 AM
> To: ids () uow edu au
> Subject: IDS: Ramping up for another review
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg 
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------
> ---------------
>
> Ok, it's that time again.  Time when I go stock up on Red 
> Bull, re-tool the 
> Network Computing Chicago lab, get some serious IDS products 
> in and start 
> going to town.  This year its going to be a little different, 
> however, as 
> I'm going to be doing this "review" in stages, and this field 
> has gotten 
> way to big to a) compare all of these products as apples to 
> apples and b) 
> cover all of the topic areas in under 5,000 words.
>
> Yup - time for another round of IDS reviewing.  I'm thinking 
> of sending 
> invite letters to the following:
>
> Network Security Wizards:
>   - the Dragon "suite"
>
> ISS
>   - RealSecure
>   - Decisions
>
> Axent
>   - NetProwler
>   - Intruder Alert
>
> NAI
>   - Cybercop monitor
>
> Cisco
>   - NetRanger
>   - What's in the IOS builds
>
> Hiverworld
>   - forget the name, but it looks and sounds cool
>
> NFR
>
> Intrusion.com (was ODS)
>   - the Kane stuff (was CMDS, and some others)
>
> NetworkICE
>   - BlackICE
>
> CyberSafe
> - Centrax
>
> So my question is - am I missing anyone?  (and don't say 
> SNORT - I'm on 
> that, but it doesn't quite fit here).  Also, I asked this 
> last year and no 
> one responded: what do you guys want to see covered that 
> hasn't been in the 
> past?
>
> Feedback wanted,
>
> -Greg