Re: IDS Testing (WAS: Re: kernel implementations)

[Mark Teicher <mark.teicher () networkice com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

At 06:29 PM 7/24/00 +0100, Talisker wrote:
> Archive: http://msgs.securepoint.com/ids
>
> >
> > - Speed
> > - Accuracy
> > - Response Latency
> > - Overhead
> > - Noise
> > - Stimulus Load
> > - Variability
> > - Usability
>
> Greg
> I like your criteria a lot I'd like to add a few things that are down on the
> list of importance
>
> Whilst I hate to use the C word, how about Cost, I often see this as the
> bottom line and have to compromise most other things to meet it.  Much as I
> want to recommend a Rolls Royce solution, if the budget will only stretch to
> a Trabant then thats all they can have.

Cost should not be used a criteria to evaluate the varying differences in 
IDS.  Cost is a management/executive decision.. Basically they say to 
themselves, if they have x and the choices are the following:  1. Cadillac 
with lots of armor plating and bulletproof tires (can withstand a direct 
grenade hit) 2. A Austin Healy with a bulletproof rear windshield or 3. A 
Pinto that has a cardboard cutout of an Audi on top of it, can take one or 
two shots, but if it rains the cardboard gets soggy or if it is real windy, 
the cardboard  flys away.

Cost should be a concern when evaluating and IDS system. Cost again is a 
management decision, spend the least amount of money on something that 
won't get obsoleted in two months or 3 months.. :)


> Presentation of alerts HTML seems to be becoming more popular, call me old
> fashoned but I like the way a GUI frontend can put more data on the screen
>
> Ability to write ones own signatures

More of the learning curve ease of writing one's own signatures.  Every 
single IDS product has the ability for an administrator or someone 
knowledgeable to craft their own IDS signature.  It really is the learning 
curve it takes a savvy administrator to learn the differences in N-Code, 
Axent verbiage, and ISS Connection/User Defined, etc
N-Code for a saavy user, takes about 3 months to learn, about 9 months to 
master and about a year to code at MJR's cat level.  ISS Connection/User 
Defined, days to figure out, months to muck it up, and many months to 
maintain or clean up since RealSecure updates/obsoletes/renames signatures 
on a quarterly basis.  Axent, well according to their website they update 
quarterly, but the last update was quite some time ago, prior to the latest 
3.5 release.

> Theres a few other things but I'm already starting to sound like a wish
> list. I put a "possible Features" list together some time ago and put it on
> the NIDS page, some of the things seem a little lame now in retrospect,
> but.....
> www.networkintrusion.co.uk net ids (the direct link isn't working at the
> moment)
Features:  The biggest feature one should be observant of, does the IDS do 
it's job.  Can one use common kiddie scripts and see the alert in the 
display or display the event from the database.  What parameters are 
recorded, (i.e. the details)

Basically, you know how to drive a car, fundamentally there is no 
difference in driving a Cadillac, an Austin Healy or a Pinto.  Of course, 
the ride is smooth in the Cadillac, a little noisy in the Austin Healy, and 
possibly quite dangerous in the Pinto.  But driving is the same. Turn the 
key, aim the car and go.. Well just don't get rear-ended in the Pinto and 
make sure the cardboard stays duct-taped to the car.