Re: IDS Comparison

[blue0ne () igloo org (Jackie Chan)]

Robert,
        You give the impression that Realsecure wont even alert you to
what is going on when an attacker (Why must we still call them hackers
when we know this is wrong) uses fragrouter.  The truth is that
RealSecure WILL alert that Fragmented packets are going through, from
what source, and to what destination.  It is true that it will not tell
you specifically what the attack was, but lets not confuse users into
beliving that they will have no idea as to what is happening.  Oh and by
the way, I dont work for a vendor, so my opinion is totally unbiased.

blue0ne
CTO of my own mind

> For example, there is a simple utility called "fragrouter" that allows a hacker
> to evade an intrusion detection system. It is pretty simple: simply install it,
> redirect your route through it, and "poof", both NetRanger and RealSecure won't
> detect what is going on. There is another utility called "whisker" that allows
> a hacker to evade detection while attacking your website. It has 11
> anti-evasion techniques that will likewise go undetected by those IDSs. These
> are extremely well-known, easy to use utilities that hackers have in their
> hands. 
>
> I'm work for a vendor that has spent huge amounts of effort on anti-evasion
> technology. I'm a little pissed off that vendors that dump huge amounts of
> money into marketing/advertising get all the attention. Smaller companies like
> Network ICE, NFR, and Dragon have spent their efforts creating the most
> sophisticated network intrusion detection systems on the planet, but they don't
> get nearly the attention. As you can see in the article
> http://www.nwc.com/1023/1023f19.html, these are the only IDSs that cannot be
> evaded by simple techniques. These systems are very good in other ways.
>
> For example, 4 months ago, RFP published his "whisker" script that completed
> evaded IDSs. We (Network ICE) went back to the drawing boards and reexamined
> our engine to solve not only that problem, but any others we could think of. We
> released a new version within a couple of days. A little while later, RFP
> published a new version of his program with 8 more anti-IDS techniques. We had
> already anticipated 7 of them, but were caught by the eighth. Within a day, we
> had patched our system. Moreoever, we sent RFP a free copy of our product with
> the challenge "look here, punk, bet you can't do it again!". 
>
> Now 4 months is forever in script-kiddy years. The whisker script has been very
> famous, yet ISS has done nothing about it. Likewise, the fragmentation issue
> has been well known for over a year. These problems aren't difficult to solve.
> For example, the article mentioned above shows some performance issues with our
> fragmentation reassembly code. It isn't a big deal, but within 2 days we fixed
> up the code to improve performance. Likewise, it took the folks at Dragon only
> a little while to add fragmentation code. These problems aren't difficult to
> solve; you have to ask yourself why it is taking ISS so long.
>
> Now, their ISS Scanner is very good and they have lots of good people working
> their, but RealSecure is a script-kiddy IDS. Lots of people have been fooled
> into think that it will protect them from hackers who use things like
> fragrouter or whisker. In reality, a hacker can easily evade the system and
> completely hack your webserver without RealSecure telling you what is going on.
>
> Robert Graham
> CTO/Network ICE
>
> PS: If anybody buys NetRanger or RealSecure with the knowledge it can be evaded
> by hackers, could you please send me e-mail and explain why?
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com