Re: IDS Comparison

[misha () insync net (Misha)]

> has developed some of the schema for this, but it's pretty weak.  Another bet
> is adding on NetForensics from NetCom to the Oracle back end.  This fills out
> the reporting deficiencies of a Cisco Secure IDS solution, but at a serious
> price differential.  ISS has tons of reporting built into the product.  You can

Speaking on netForensics. We have been running netForensics Workgroup Beta
2 for over a month now, and the reporting capabilities are great, though
the audit trail and ability to cross reference a lot of events is whats
really useful. The real time console is more of less of a joke at this
point, unless we get filtering working. 

We are running into a few performance limitations though. Running on Red
Hat 6.2 with Oracle on the back end (P300, 256mb) it has trouble keeping
up with a Cisco Pix doing debug level logging with about 12mbps incoming
traffic. The entire application is written in Java, which doesnt seem to
scale much at all, and we see the jre proccess hovering at over 50% CPU
even at low loads. At peak times it just kills off the collection service.

Is there a good way to bypass the performance problems with netForensics
short of allocating a really hot log collection box for every firewall and
Net Ranger device? 

I have not found anything that even comes close to netForensics for Pix
log analysis (after looking at Private I and Webtrends), but we have to
get these performance problems resolved. Any current users with good
amount of experience with it?

Also, if you know of an alternative to netForensics, please let me know. I
know CMDS Enterprise is supposed to have a Pix module soon, but I cant
beat the delivery date out of the sales people.

Misha