Re: comparison of NFR vs RealSecure

[carric () com2usa com (Carric Dooley)]

I will insert comments below:

Carric Dooley
Network Security Consultant

"The probability of someone watching you is proportional to the stupidity of your action." 
-Anon? 
-----Original Message-----
From: Thomas Nau <thomas.nau () rz uni-ulm de>
To: ids () uow edu au <ids () uow edu au>
Date: Monday, March 13, 2000 1:02 PM
Subject: IDS: comparison of NFR vs RealSecure

> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> ---------------------------------------------------------------------------
> ---
> Will someone please offer a comparison of NFR vs RealSecure with focus on
> the following topics (we run the usual switched 100-1000Mbit network but
> sniffing will only be done in several 100 segments)
>
> - speed

ISS should be fine up to about 40Mb on a 100Mb link.. you supplement this by using the system agents (these run on key 
servers reporting to the central console).

NFR claims to handle up to a 70Mb saturated backbone.. there is not equivalent to system agents that I know of.

> - update frequency and reliability of attack signature
ISS has just gone to a modular update scheme which will give them to release updates anytime there is a new major 
exploit... (they were the first to have code against BO2K).

NFR has a "roll your own" approach.  Once you learn the scripting language, you can react as soon as you know about the 
exploit without waiting for an update.  You can also get your initial package of signatures from L0pht Heavy Industries.

> - integration of FW-1 (means setup filter on the fly)
Absolutely.. it will create rules on the fly via the OPSEC protocol SAMP, and can modify router ACL's as well.

I am not sure if NFR ties into FW-1...

> - multi-sensor single evaluation node environment
This is referred to as a distributed architecture, and ISS uses an "engine/console" architecture with agents and 
engines reporting to a central console (color coded by engine/agent and seperated into 3 windows for critical, medium 
and minor events)

You can set this up distributed as well.. it requires either a Solaris or Linux management server and then a windows 
client to access and manage the system as well as view the logging and alerts (the engines are essentially a PC that 
you boot off their CD and configure with a public and mgt. interface).  I am not particularly fond of the interface and 
it requires a steeper learning curve than NFR.

> - available API (integrating own type of alerts, actions, ...)
You can write custom progs kicked off by keyed events.. i.e.

if this event happens, execute "myprog.exe"

> - last but not least cost and administrative overhead
ISS is not cheap (at roughly $8K-$9K per engine and $1,500 for the console.. I think roughly $300-$400 for system 
agents).  I prefer their IDS because it integrates well with their other products and can talk to a meta-engine that 
correlates and reports on all the data it is fed (Decisions is the name of that product).  It is easy to deploy and 
does not require a Phd to figure out.  It is also relatively easy to make changes and customize the already 
pre-packaged policies.  For a large enterprise I think it's the only viable choice.

NFR is much cheaper (I want to say something like $3500/engine), but I could be totally wrong.. I know Mr. Ranum is on 
this list and I am sure he would be happy to discuss price with you.  It is also EXTREMELY easy to deploy and manage.  
Like I said, you can write your own sigs with the custom scripting language, and all you need to have a few decent PC's 
with a fairly standard config for your engines (PII, 128MB, 4G HDD, 3C905, etc.).  It boots right off the CD and within 
minutes you are up and running.

In all, I have to say I like them both, but they suit different sets of needs.  If you are smaller .com company that is 
$$ conscious, and you have a couple "coder/hacker linux head" types on staff, NFR is a good fit.  If you are Nations 
Bank or Pepsi, I think ISS is the logical choice.

> Thanks,
> Thomas
>
> ====== PGP fingerprint B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED ======
>
> Thought you got rid of all year 2k bugs and problems?
> Here's a new one: Windows 2000