[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ids
Subject:    IDS: RE: Distinguishing/unique features
From:       "Hedges, Nigel" <Nigel.Hedges () ca ! com>
Date:       2001-04-25 6:24:45
[Download RAW message or body]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
You mentioned ease of use. I think this has a high value, as there is no
point in having a billion features if your IT staff don't even look at them.
You must be able to control the information you require easily. An IDS might
be able to keep up with speeds, but it is of no use if a human misses huge
chunks of important IDS alerts.
 
Likewise, reporting functionality must be flexible and attractive otherwise
management won't read them (in much detail). 

If you're after some product comparisons, try www.nss.co.uk they have an IDS
PDF document whicih outlines quite a few of the more common commercial IDS
and VA out there. 

I'm also keen on hearing what others have to say on this....

Nigel Hedges
Computer Associates
Technical Consultant
Email: nigel.hedges@ca.com

 -----Original Message-----
From: 	Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com] 
Sent:	Wednesday, 25 April 2001 9:41 AM
To:	ids@uow.edu.au
Subject:	IDS: Distinguishing/unique features

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
----------------------------------------------------------------------------
-
<All opinions stated within this message and comments made are my
own and in no way reflect the views of my employer.>

After looking at many of the NIDS products available and looking at
a smaller number of them to a fair depth, I have come to the conclusion
that it isn't very valid anymore to judge products by # of false
positives/negatives, ability to handle high-speed connections or total
number
of attacks detected. 
Here are my reasons;
None of the vendors are doing anything unique in terms of attack detection
methodologies. Some do string matching, some do protocol compliance
validation, some do anomaly detection, some do a combination of these
methods, but I haven't seen any products that do anything radically
different. Within that space each vendor is taking slightly different
approaches, but which one is "best" changes depending on who has released
a new version most recently and other similar things.
Everyone is pushing to support high-speed connections, some are better than
others today, but again, this is changing regularly and cannot be considered
a consistent feature to judge against.
Therefore, it becomes necessary to judge against other factors; unique
features,
ease of use, interoperability with other products, etc. There are reports
available on ease of use (though this is a matter of personal preference to
some
extent) but there isn't much out there about interoperability or unique
features.
Lots of vendors say they support SNMP but that generally means you get less
than the full detail and if you have to push alerts from the sensor to their
console and then to the 3rd party product, you have the potential to lose a
lot of the information in translations. 
Everyone claims to have unique features but once you get passed the
marketing
flash it is generally a different term for a standard feature. Some products
have some really cool features that appear to be unique, I have started
trying
to collect that info and use it as a means of tipping the scales between the
products when all else is pretty much equal. 


That said, I would be interested in hearing what others on the list think on
this
topic as well as what features people have seen that appear to be unique.
All you
vendors, feel free to chime in, but please stick to actual technical
details.

Thanks,
Toby

<All opinions stated within this message and comments made are my
own and in no way reflect the views of my employer.>

Toby Kohlenberg, CISSP
Intel Corporate Information Security
STAT Team
Information Security Specialist 
503-264-9783  Office & Voicemail
877-497-1696  Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA  01A1 6E09 B5BA 9E84 9E70

[prev in list] [next in list] [prev in thread] [next in thread]