Re: IDS Comparison

[robert_david_graham () yahoo com (Robert Graham)]

--- Sirine tlili <sirine.tlili () ati tn> wrote:
> Hi,
>
> Our company would like to purchase an intrusion detection system.
> We don't know which one to choose Netranger or ISS Real Secure.
> Can somebody help us to make a comparison between these two products ?

What are your basic criteria? No IDS is appropriate for all people. Also, is
there a specific reason why you are limiting yourself to just those two?.

For example, there is a simple utility called "fragrouter" that allows a hacker
to evade an intrusion detection system. It is pretty simple: simply install it,
redirect your route through it, and "poof", both NetRanger and RealSecure won't
detect what is going on. There is another utility called "whisker" that allows
a hacker to evade detection while attacking your website. It has 11
anti-evasion techniques that will likewise go undetected by those IDSs. These
are extremely well-known, easy to use utilities that hackers have in their
hands. 

I'm work for a vendor that has spent huge amounts of effort on anti-evasion
technology. I'm a little pissed off that vendors that dump huge amounts of
money into marketing/advertising get all the attention. Smaller companies like
Network ICE, NFR, and Dragon have spent their efforts creating the most
sophisticated network intrusion detection systems on the planet, but they don't
get nearly the attention. As you can see in the article
http://www.nwc.com/1023/1023f19.html, these are the only IDSs that cannot be
evaded by simple techniques. These systems are very good in other ways.

For example, 4 months ago, RFP published his "whisker" script that completed
evaded IDSs. We (Network ICE) went back to the drawing boards and reexamined
our engine to solve not only that problem, but any others we could think of. We
released a new version within a couple of days. A little while later, RFP
published a new version of his program with 8 more anti-IDS techniques. We had
already anticipated 7 of them, but were caught by the eighth. Within a day, we
had patched our system. Moreoever, we sent RFP a free copy of our product with
the challenge "look here, punk, bet you can't do it again!". 

Now 4 months is forever in script-kiddy years. The whisker script has been very
famous, yet ISS has done nothing about it. Likewise, the fragmentation issue
has been well known for over a year. These problems aren't difficult to solve.
For example, the article mentioned above shows some performance issues with our
fragmentation reassembly code. It isn't a big deal, but within 2 days we fixed
up the code to improve performance. Likewise, it took the folks at Dragon only
a little while to add fragmentation code. These problems aren't difficult to
solve; you have to ask yourself why it is taking ISS so long.

Now, their ISS Scanner is very good and they have lots of good people working
their, but RealSecure is a script-kiddy IDS. Lots of people have been fooled
into think that it will protect them from hackers who use things like
fragrouter or whisker. In reality, a hacker can easily evade the system and
completely hack your webserver without RealSecure telling you what is going on.

Robert Graham
CTO/Network ICE

PS: If anybody buys NetRanger or RealSecure with the knowledge it can be evaded
by hackers, could you please send me e-mail and explain why?

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com