IDS comparison

[CKlaus () iss net (Klaus, Chris (ISSAtlanta))]

As you compare IDS technologies, you may want to think about other factors
beyond attack signatures, network & host IDS integration, ease of deployment
& use, reporting, etc.  You may want to look at the company behind the IDS.
Will it be here tomorrow?   If your IDS vendor goes away by bankruptcy or is
acquired, even if you get the source code, I'm not sure you want to maintain
a very intense development and updating of an IDS system.    

There are probably at least 10 - 20 IDS companies around in the market.
Just like in the beginning of the firewall market, there were 50+ firewall
companies and most have not survived, I predict the same will happen in IDS.
It's already happening.   I can name atleast 3 IDS companies that have
already been acquired, and typically, once the stock vests, say good-bye to
the security expertise that was building it.  

As we begin to understand IDS in broader terms, combining both vulnerability
assessment and intrusion detection data together becomes critical for
long-term success.

One issue with IDS is how do I reduce reacting to all the events that are
detected.  We should correlate data from both host and network based IDS and
vulnerability assessments, and this helps me prioritize based on whether the
attack was against a known vulnerable system or a secure system.  You react
differently if you know it was a successful compromise of a vulnerable
server versus a probe check against a locked down server.  By doing this,
you can better optimize the use of your security team.

Internet Security Systems has focused enabling this correlation with
SAFEsuite Decisions and the family of Scanners and RealSecure.  

Here's information on steps Internet Security Systems is taking to protect
customers in the next release of RealSecure:

NEW ATTACK SIGNATURES
When new attack types and evasive techniques are identified by ISS product
developers and ISS X-Force researchers, we update our products with
additional X-Press Updates to detect and block such attacks. Just as
anti-virus software must regularly release new virus definition files when
new viruses are found, Intrusion Detection Software such as RealSecure must
be updated when new attacks are developed and discovered.

ENHANCEMENTS TO NEXT REALSECURE RELEASE
ISS development is aware of the modified attacks described in the postings.
They have been addressed by engineering for the next major release of
RealSecure. As with any software product, RealSecure continues to develop
and evolve and so does the strength and scope of the attack signatures and
packet processing. The next RealSecure release contains numerous additions
and enhancements that will allow RealSecure to detect the modified attacks
described in the BugTraq posting. 

FALSE POSITIVES FOR SENDMAIL ATTACKS 
RealSecure's analysis of email messages is designed to enhance performance
by treating email headers and message content the same. While this can lead
to false positives under certain conditions, customers rarely receive such
false positives if RealSecure is configured properly. By turning off the Wiz
check, as recommended (since very few machines are vulnerable to the Wizard
backdoor), customers can reduce excessive false positives. Many RealSecure
signatures, like the email signatures, include advanced tuning options that
also help reduce positives. These advanced options allow you to configure
many parameters, such as how often an event must be seen within a
user-defined period of time before triggering a response. This functionality
is very flexible and allows users to configure this flood protection based
on many parameters, such as source and destination address and port.

WHISKER STEALTH MODES
A signature to detect a broader range of Whisker scans is already in the
engineering builds of RealSecure. We have verified and retested this
signature using the various Whisker modes to ensure comprehensive detection
of this program. The current development build has successfully detected
attempts to evade RealSecure using a variety of methods including stealth
mode.

MODIFIED IP FRAGMENTATION ATTACKS
The next release of RealSecure will detect more advanced IP fragmentation
attacks by adding enhanced IP Fragment re-assembly to the Network Sensor.
The IP Fragmentation re-assembly code has been successfully tested both
in-house and at various customer sites. This functionality has been
completely re-engineered to help prevent evasive techniques, such as the
ones described in the BugTraq posting.

X-PRESS UPDATES
In addition to including a variety of new signatures, the next release of
RealSecure will make it even easier to quickly add new signatures using
X-Press Updates. This feature already exists in other ISS SAFEsuite products
and allows ISS to respond more timely to new security threats.

RECOMMENDATIONS
ISS asks individuals to please report any bugs, new exploits, new
modifications to exploits, and any issues regarding ISS products to
support () iss net. 

ISS also recommends using the open discussion forum on ISS technology at
http://xforce.iss.net/maillists to seek answers. This forum also provides
many useful tips and advice on how to use RealSecure.

In addition, to ensure proper configuration, ISS recommends customers go
through an ISS intrusion detection training course. Customers may also
request assistance from ISS Consulting Group to help implement and properly
configure RealSecure in a specific environment.

 -------------------------------------
Christopher Klaus
Founder and CTO
Internet Security Systems, Inc.

(678) 443-6000 /fax (678) 443-6477
6600 Peachtree-Dunwoody Road NE
300 Embassy Row, Atlanta, GA  30328
www.issx.com
NASDAQ: ISSX

Join ISS X-Force Mailing List:
http://xforce.issx.com/maillists/

*******************************************************************
                         ISS CONNECT 2000
International User Group and Information Security Summit
    March 19-24, 2000                  http://connect.iss.net
                          REGISTER TODAY!
*******************************************************************