Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: Re: IDS Comparison

Re: IDS Comparison

From: Jackie Chan <blue0ne_at_igloo.org>
Date: Sat, 4 Mar 2000 23:19:57 -0500 (EST)

Marcus,
        There is another reason as to why people purchase RealSecure. It
seems that there is a genuine lack of knowledgable folks out there. There
is a much higher learning curve with products such as NFR and
Dragon. RealSecure has been developed to look like every other App on the
market so people seem to be drawn to its familiarity.

Personally I believe the IDS list can be put to much better use than an
after work mud wrestling pit for Executives from Vendor
corporations.

blue0ne

On Sat, 4 Mar 2000, Marcus J. Ranum wrote:

> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner_at_uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> ---------------------------------------------------------------------------
> ---
> Robert Graham writes:
> >Now, their ISS Scanner is very good and they have lots of good people working
> >their, but RealSecure is a script-kiddy IDS. Lots of people have been fooled
> >into think that it will protect them from hackers who use things like
> >fragrouter or whisker. In reality, a hacker can easily evade the system and
> >completely hack your webserver without RealSecure telling you what is
> >going on.
>
> The people who buy RealSecure and NetRanger don't buy it because
> they are the kind of sophisticated IDS users who read this list.
> They buy it because their CTO has seen an ISS glossy at a conference
> and said, "this sounds good!" or has heard of Cisco and thinks
> their expertise in router-building applies to security as well.
> They don't understand the technology, nor do they care to, since
> it would embarrass them to subsequently have to explain that ISS'
> product can't even detect an ISS scan run against it through
> fragrouter, or the Cisco's NetRanger team is a tiny handful of
> guys, virtually all of the original developers having cashed out
> and left when Wheelgroup was acquired.
>
> >PS: If anybody buys NetRanger or RealSecure with the knowledge it can be
> >evaded
> >by hackers, could you please send me e-mail and explain why?
>
> I've had the opportunity to ask similar questions of NetRanger and RealSecure
> customers, and their answer is usually, "our consultants told out CTO that
> that was the product to buy so we did."
>
> NetRanger and RealSecure customers that are aware of the fatal flaws in
> the product usually shrug them off by saying, "it'll get fixed eventually."
> I guess that's true. 2 years after products like NFR were doing full TCP
> reassembly, ISS has announced they'll have a limited version of TCP
> reassembly in Q2. Cisco is silent. If those guys are so slow to respond to
> glaring holes in their products, ask yourself what's still missing! Those
> guys may get around to adding field programmability and tamper-proof
> operation before we're all old and retired - but don't bet on it.
>
> mjr.
>
Received on Mar 05 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]