Intrusion Detection Systems mailing list archives

Re: IDS Comparison

From: mjr () nfr net (Marcus J. Ranum)
Date: Sat, 04 Mar 2000 11:05:27 -0500



Robert Graham writes:

Now, their ISS Scanner is very good and they have lots of good people working
their, but RealSecure is a script-kiddy IDS. Lots of people have been fooled
into think that it will protect them from hackers who use things like
fragrouter or whisker. In reality, a hacker can easily evade the system and
completely hack your webserver without RealSecure telling you what is 
going on.


The people who buy RealSecure and NetRanger don't buy it because
they are the kind of sophisticated IDS users who read this list.
They buy it because their CTO has seen an ISS glossy at a conference
and said, "this sounds good!" or has heard of Cisco and thinks
their expertise in router-building applies to security as well.
They don't understand the technology, nor do they care to, since
it would embarrass them to subsequently have to explain that ISS'
product can't even detect an ISS scan run against it through
fragrouter, or the Cisco's NetRanger team is a tiny handful of
guys, virtually all of the original developers having cashed out
and left when Wheelgroup was acquired.

PS: If anybody buys NetRanger or RealSecure with the knowledge it can be 
evaded
by hackers, could you please send me e-mail and explain why?


I've had the opportunity to ask similar questions of NetRanger and RealSecure
customers, and their answer is usually, "our consultants told out CTO that
that was the product to buy so we did."

NetRanger and RealSecure customers that are aware of the fatal flaws in
the product usually shrug them off by saying, "it'll get fixed eventually."
I guess that's true. 2 years after products like NFR were doing full TCP
reassembly, ISS has announced they'll have a limited version of TCP
reassembly in Q2. Cisco is silent. If those guys are so slow to respond to
glaring holes in their products, ask yourself what's still missing! Those
guys may get around to adding field programmability and tamper-proof
operation before we're all old and retired - but don't bet on it.

mjr.

Current thread:

RE: IDS Comparison, (continued)
- - - RE: IDS Comparison Bill Royds (Mar 06)
    - disadvantages and advantages kukulkan () netsecure fsksm utm my (Mar 05)
    - Re: disadvantages and advantages bbradd () olg com (Mar 06)
    - Re: IDS Comparison Greg Shipley (Mar 05)
- Re: IDS Comparison Paul_J_Bielefeldt () notes tcs treas gov (Mar 02)
  - Re: IDS Comparison John Rezabek (Mar 03)
- Re: IDS Comparison Robert Graham (Mar 03)
  - Re: IDS Comparison Jackie Chan (Mar 04)
    - Re: IDS Comparison Marcus J. Ranum (Mar 04)
    - Re: IDS Comparison Greg Shipley (Mar 05)
  - Re: IDS Comparison Marcus J. Ranum (Mar 04)
    - Re: IDS Comparison Jackie Chan (Mar 04)
- Re: IDS Comparison Robert Graham (Mar 04)
  - Re: IDS Comparison Jackie Chan (Mar 04)
  - Re: IDS Comparison Misha (Mar 05)
- Re: IDS Comparison Robert Graham (Mar 04)
- Re: IDS Comparison Carric Dooley (Mar 04)
- Re: IDS Comparison flynngn () jmu edu (Mar 05)
- Re: IDS Comparison John S Flowers (Mar 05)
  - Re: IDS Comparison Marcus J. Ranum (Mar 05)
    - Re: IDS Comparison Martin Roesch (Mar 05)

(Thread continues...)