Intrusion Detection Systems mailing list archives
RE: RE: IDS taps in a switched network (The right tools for the job)
From: gshipley () neohapsis com (Greg Shipley)
Date: Fri, 12 Nov 1999 01:16:59 -0600 (CST)
On Sun, 7 Nov 1999, Marcus J. Ranum wrote:
Will that version do TCP reassembly and sequence tracking? I have wondered if someone would ever try to push that into a router. My
Not that I know of. Er, hell, I just assumed no. I mean, NetRanger won't even do re-assembly, so I guess its a safe assumption. I'll double check though.
We were able to boot an NFR appliance CDROM on one of the ODS devices. That was a huge surprise for us, since it was a version that only would listen for an Intel Etherexpress Pro 10/100 card on a generic Intel motherboard. It turns out that the "inspection unit" is a PC with a NIC and there's a very short wire connecting it to a span port inside. I'd be surprised if they don't do something
Right - that's what I saw. They basically OEM routers, switches, and workstations and rack'm all into one unit. Cool, but nothing that out of the ordinary - yet. We'll see what they do.
the product. That way you'll get a feeling for what it does when it's installed the way many sites will install it. Of course, this also means that an unscrupulous vendor could play games with their default configuration that would make it look better on paper. I can think of lots of ways someone could do that. :( Benchmarks can be cooked even without having to lift a finger.
Right - which is why I try to make sure the deployment is reasonable, and isn't just a fresh install. But this can be messy. The other problem is that this isn't how *most* security-minded admins operate. At least, I hope not! :) I mean, perhaps with MS Office you can assume that it should work great out of the box. But I like to think that people in the security community are a little beyond the "install and drop" method of deployment. I could very well be wrong, but so far that isn't what I run into *most* of the time in the field. Its tough either way, but if I can stay objective and still get close to the way people deploy it, I think its pretty fair.
There's a few other problems - what about anomalous conditions? NFR's latest set of filters (we've got about 400 checks in 4.0 and another 400 coming in 4.1 real soon now) checks not just for known problems, but for things that could indicate a known problem. I'm not sure whether this is "anomaly detection" or "misuse detection" - it's more like "protocol boundary checks"
Yeah - and a lot of the cool stuff, particularly in NFR, IS NOT in the other ID products. So even if the ID vendors build in checks for every network-based attack in the CVE, these (or the DNS stats, mail stats, etc.) go beyond this. They are kind of like bonus sigs....and its not really easy to classify and file them. Yup. Can't really categorize those. If anyone wants to check it (the review) out, its on-line now at: http://www.networkcomputing.com/1023/1023f1.html I welcome any comments, -Greg
Current thread:
- Re: Neural Networks, (continued)
- Re: Neural Networks Guy Bruneau (Nov 02)
- RE: Neural Networks Bill Royds (Nov 03)
- IDS Stefano Maifreni (Nov 02)
- RE: RE: IDS taps in a switched network (The right tools for the job) Marcus J. Ranum (Nov 02)
- Re: IDS Emmanuel Gadaix (Nov 03)
- More swicth stuff Ron Gula (Nov 01)
- RE: RE: IDS taps in a switched network (The right tools for the job) tim shea (Nov 03)
- RE: RE: IDS taps in a switched network (The right tools for the job) Greg Shipley (Nov 07)
- RE: RE: IDS taps in a switched network (The right tools for the job) Marcus J. Ranum (Nov 07)
- The story of a small boy ... sealed envelops ... ------------ SURVEY RESULTS Max (Nov 11)
- RE: RE: IDS taps in a switched network (The right tools for the job) Greg Shipley (Nov 11)