Re: Realsecure

From: Vitaly Osipov (vosipov@wolfegroup.ie)
Date: 10/14/01


Message-ID: <3BC990D2.1DCD3F44@wolfegroup.ie>
Date: Sun, 14 Oct 2001 14:19:15 +0100
From: Vitaly Osipov <vosipov@wolfegroup.ie>
To: kbrownfox@home.com
Subject: Re: Realsecure


I also had an opportunity to "test" (it was more of playing with them,
almost half a year ago) Cisco Netranger, Relasecure (although it was
5.5, not 6) and eTrust IDS. It was not a big lab, just 2 or 3 unix/nt
boxes and the IDS in one LAN, so my tests are in no way accurate or
complete. I was interested in only their core part - event capturing and
logging abilities (no fool-proof installation wizards or funky GUIs). I
can say the following:

First, none of them has good custom signatures - all you can do is to
specify source and destination ports and a regular expression to look
for - no IP or TCP level characteristics, nothing else.

Second - logging capabilities - only RealSecure is worth anything if you
want to do something like data mining, simply because it logs to an SQL
database, so it is possible to generate any report you want - just do it
yourself. Netranger uses a proprietary database and is limited to 10 or
20 reports provided by Cisco Secure Policy Manager. eTrust is even worse
- I do not understand why they are trying to sell it as an IDS while it
is (as it's predecessor SessionWall was) actually an internal
surveillance product, it is much more suited for watching what people on
your internal network are doing, which sites they visit etc and not for
attack recognition.

Cisco is the most robust of these three, and eTrust is the weakest (this
concurs with networkfusion report). But even Cisco had a problem - the
sniffing process on the appliance ("packetd" daemon) was quietly dying
under rather high amount of fragmented traffic (yes, I like tiny
fragments :) )

This is not a rant, this is a technical point of view of a person who is
desperate to find any product which is able to fulfil his needs :) (e.g.
to provide IDS capabilities for a big data centre and not require staff
of 10 ppl just to make it work) I did not try Dragon yet... I am living
with Snort+ACID currently, feeding Netranger and Cisco PIX alerts into
the same database as Snort.

regards,
Vitaly Osipov, CISSP

P.S. of course, all of these are my personal problems/opinions and have
nothing to do with my employer :)

Kevin Brown wrote:
>
> I agree with Bob. Testing IS a bleepin' nightmare, especially when you only
> have a few weeks to test several products. Personally, I'd love to have
> each product for several weeks and test under a dozen or more different
> scenarios. Unfortunately, vendors aren't willing to pay for this type of
> testing :-)
>
> The results of our latest IDS comparison published in this weeks Network
> World magazine. You can find the on-line version here.
>
> http://www.nwfusion.com/reviews/2001/1008rev.html
>
> I know this article doesn't contain some of the detail of reviews done in
> other mags, but I'd be happy to answer any reasonable requests for more
> information regarding the test bed to anyone who is interested. It might
> take a day or two to answer any inquiries as I have a few days vacation
> coming, but I'll do the best I can.
>
> For background traffic, we chose to use NetIQ's Chariot generating HTTP
> Gets. We only used 4 PCs for generating traffic, but each was configured
> with 250 IPs to simulate 1000 different nodes on our test network. The "how
> we tested" section covers the pps and Mbps.
>
> I think everyone will be surprised by the RealSecure results we saw.
> Version 6 moves to a 3 tier architecture, and performance saw a big boost.
> Of course, we gave it quite a bit of horsepower. That helps too.
>
> Brownfox
>
> -----Original Message-----
> From: Bob Walder [mailto:bwalder@nss.co.uk]
> Sent: Thursday, October 11, 2001 7:42 PM
> To: 'Greg Shipley'; focus-ids@securityfocus.com
> Subject: RE: Realsecure
>
> Ahhhh there's the rub....
>
> IDS' do indeed behave differently depending on the type of traffic you spit
> out on the wire - that's why testing these things is a damn nightmare!



Relevant Pages

  • Re: Recommending an IDS system
    ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... into ONE inky-dinky "black box" that was maintained by a "security ... Like I said before, ISS ...
    (Security-Basics)
  • RE: Recommending an IDS system
    ... That feature is not an "Auto-Update" in Cisco. ... As for writing your own signatures, ... Subject: Recommending an IDS system ...
    (Security-Basics)
  • Re: Recommending an IDS system
    ... I'm running a smaller setup than your old employer attempted to run. ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... but the management of the signatures and ...
    (Security-Basics)
  • RE: CISCOs new IPS
    ... There is no way we would consider using their IPS units....their IDS have enough problems. ... Christoph, ... I can tell you from real world experience that Cisco has not been the best ...
    (Focus-IDS)
  • RE: Recommending an IDS system
    ... Same here - haven't used the ISS, but I have no problem with auto updates, and Cisco is releasing signatures very quickly. ... Subject: Recommending an IDS system ... I never worked with ISS IDS appliance before so I can't really comment on ...
    (Security-Basics)