Re: SessionWall3

[Talisker () technologist com (Talisker)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Sarunas

I will try to tell you what I can remember about SW3, please bear in mind
though that I'm sat at home and the kids are winging about Pokemon, so I
might miss some of the points.  If you need more information over and above
what I can write here, if you need more info write back.  I first evaluated
SW3, which incidentally is now called E-trust IDS, some 2 years ago when it
was sold as a net nanny, it was on a par with Kansmen Little Brother,
except, what set it ahead was that it had a few additional IDS features.

Since then SW3 (I find it hard to call it E-trust IDS) has developed
considerably into a very interesting tool.  It is easy to install, configure
and update.
It has a nice GUI, that is easily understood and explains any alerts
adequately.
SW3 has a huge arsenal of alerting methods and it's rule creation element is
a dream, (reminescent of FW-1) setting times, excluding certain users etc.
Defining network objects such as NT users, IP ranges is also very nice and
well within the capabilities of a houseplant.
Ok so thats the Bodywork, dashboard, and ergonomics sorted, now lets look
under the bonnet (hood to those from the US).   There is no facility to edit
the IP header signatures, it's all or nothing.  So your MAC spoofing, Syn
attacks etc can't be finetuned to your environment.  The general signatures
seem to be port number and data field specific ie if port 31337 and data
payload contains "  " then alert.  It doesn't appear to look at the IP
header at all for addional evidence, flags and sequence numbers(that is
except for the port)  I found the false positives to be high.
Conversely, when I installed it on a small autonamous development network it
had no false positives.
There is currently no parser for MS Exchange. so e-mail content monitoring
is difficult on some networks.
In certain situations I would like the NIDS to hoover up everything, SW3
doesn't have that capability.

SW3's cental console connects to the agent using Carbon Copy remote control,
I seem to remember that Carbon Copy has some vulnerabilities though I can't
be certain.  Needless to say it lasted a few days then I tried something
else.

Access to the agent software is protected by a password , however there is
already a crack for this on the Internet.  So ensure the agent is offered
suitable protection.

The agent can operate in stealth mode though I never tried it.

I doubt that SW3 can refragment packets.

Overall, I liked SW3 but wouldn't consider it to be a premier network IDS.
If defence in depth is your aim then there maybe a place for it on the
internal networks to ensure user discipline, offer a second line of defence
and offer some protection from back doors.  It should be noted that Computer
Associates have only just bought this product and intend to throw a lot of
development at it.  There are a lot of fixes for the above in the pipeline.
Also please bear in mind that I only evaluated it, admittedly 3 times over
30 months, the last evaluation over a few months, with a few other products.

Take a look at what I consider could be included in a network IDS,
prioritise them in order of importance then find the tool that best fits
your needs.

www.internations.net/uk/talisker/nids_features

Take Care and choose carefully

Andy

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

----- Original Message -----
From: Sarunas Krivickas <KrivickasS () pastas kam lt>
To: <ids () uow edu au>
Sent: Sunday, March 26, 2000 2:43 PM
Subject: IDS: SessionWall3

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------------------

> Hi,
> My questions are directed to SW3 users.
> Please, replay to me speaking about advantages and disadvantages of SW3.
> I am looking for people who have an experience to administrate SW3 for
> further discussions.
> Also any comments on SW3 are very welcome.
>
> Regards,
> Sarunas