Re: IDS Comparison

[gshipley () neohapsis com (Greg Shipley)]

On Fri, 3 Mar 2000, Bryan Nairn wrote:

> Here are a few thoughts I have on NetRanger and RealSecure.
>
> NetRanger is highly configurable.  More so than RealSecure.  Each has
> a number of configurability options, but I've found Cisco's product to
> be more robust. NetRanger can handle a high level of network
> throughput.  I've seen NetRanger Sensors operate smoothly in a 100Mbps
> environment.  ISS will admit to you that once you go over 30Mbps the
> device has trouble keeping up, and that the upper threshold is around
> 65Mbps..

Two other things to toss in:

1. While RealSecure plans on having (see John's post) the ability to do
fragmentation re-assembly in Q2, it DOES NOT DO THIS right now.  Fire up
Dug Song's fragrouter and you will fly right past the thing - it's blind.
But to be fair, neither does NetRanger.  Only a few IDS products do frag
re-assembly (Dragon, NFR, BlackICE, etc.).  Without that, it's trivial to
float a LOT of attacks past these things....unnoticed.  People on this
list who know me probably think I'm obsessed with this issue, but our
company has been doing a lot more pen-testing lately, and let me tell you,
this let's us float past just about EVERYTHING.

2. You really have to think about how an ID product will fit into your
environment, and what you want to use it for.  The ID market, IMHO, is not
at a point where you can go "Vendor _____ is best."  It depends on what
you want to use it for, and what your admins are up for.  A bunch of NT
admins that are GUI slaves aren't going to adapt to products like Dragon
or NetRanger as easy as they will to RealSecure.  At the same time, if
you've got a bunch of script jockies, they'll probably prefer NetRanger to
RealSecure.
 

> How do you feel about cost?  NetRanger sells their sensor as an
> appliance and is quite expensive.  RealSecure is sold as software.  
> You'll need to come up with your own hardware.  Make sure the hardware
> is scalable and beefy, as I've noticed the RealSecure console to be a
> bit of a resource hog.  Also consider that NetRanger, to my current
> knowledge, is completely Unix based.  Sun x86 on the sensors and Sun
> Sparc on the director.  ISS is more versatile here.  The console must
> be run on an NT platform, but the sensor can be run on a number of
> architectures.

Yeah - that's correct: NetRanger is UNIX based, although their is rumored
to be an NT port coming our way (here?) soon....  The NetRanger sensors
run between (last I checked) $20k and $22k (US dollars) per sensor.
That's for, essentially, a Pentium-II (III now?  dunno) based Intel
machine running Solaris x86 and the NetRanger software.  Last I checked
RealSecure ran about $10k for a network "engine" and a single console.
So, unless you drop $10k+ on your Intel boxes, it's obvious which one is
cheaper.

 
> Here is the biggest disparity between Cisco and ISS.  Cisco's
> reporting is terrible.  ISS reporting is fairly robust.  In a Cisco
> Secure IDS environment it's best to run an Oracle back end and push
> all your log files to it.  Cisco has developed some of the schema for
> this, but it's pretty weak.  Another bet is adding on NetForensics
> from NetCom to the Oracle back end.  This fills out the reporting
> deficiencies of a Cisco Secure IDS solution, but at a serious price
> differential.  ISS has tons of reporting built into the product.  You
> can run canned reports and output them into a number of different file
> formats.

Agreed. And I'd like to add one more thing here: until Cisco ships their
new interface, you are stuck with HP Openview.  If you like OpenView, god
bless you and you'll be ok.  If you're anything like me, I'll use a
command-line interface with the Russian character set before using
OpenView.  Yuck.  I hate OpenView.

Also, IMHO, you'd be silly to look at NetRanger without looking at Dragon:

http://www.securitywizards.com/

Dragon has proven to be more robust under-the-hood and has a MUCH LARGER
signature base, but is not as polished as RealSecure.  However, IMHO it is
easier to use and more flexible then NetRanger.

Hope this helps,

-Greg