RE: Realsecure

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 10/22/01 

Message-ID: <B6E52B5EDFAFD411BA42009027AE9D580FB84EA6@FMSMSX39>
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "'Klaus, Chris (ISSAtlanta)'" <CKlaus@iss.net>, "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
Subject: RE: Realsecure
Date: Mon, 22 Oct 2001 13:39:19 -0700

All opinions are my own and in no way reflect the views of my
employer.

> -----Original Message-----
> From: Klaus, Chris (ISSAtlanta) [mailto:CKlaus@iss.net]
> Sent: Friday, October 19, 2001 4:05 PM
> To: 'focus-ids@securityfocus.com'
> Subject: RE: Realsecure
>
> NSS charges a significant amount of money to do performance
> testing per
> product. We currently have two products in this space. With
> our company
> goal to become profitable this last quarter and money was
> already spent
> elsewhere, it became a purely financial decision.

I thought they said it was ~US$500? Maybe ~US$750? That doesn't seem
like a tremendous amount to pay. Also, I've seen product reviews that
were paid for completely by ISS used frequently in the marketing
materials, how is the decision made regarding which reviewers to work
with and which not to?

> > Of course, one of the best performing products we found
> last year was
> > NetworkICE
>
> If NSS wanted to do it for free, we would be happy to participate. We
> believe BlackIce technology would remain in the top performer
> class and our
> current roadmap for integration leverages this core
> capability. Because
> the NetworkICE technology is being used as the chassis for doing the
> high-speed protocol analysis in the integrated version of
> RealSecure 7, you
> will find significant performance capability in the single integrated
> solution.

When can we expect to see a feature list/ beta release to current
ISS/NetworkICE customers?

> Some comments about testing in general (not directed at NSS).
>
> Most network IDSes now have 100 mbit speeds. If performance
> testing is done
> at 100 mbits, these tests do less to distinguish the
> capabilities of the
> current IDS technologies. With current evolution of IDS, I
> believe the next
> bar for performance testing should be set at 1G speeds.

I will look forward to seeing what NSS finds, but last I saw,
even though all vendors offer 100Mbps solutions, many of them
can't actually handle that in production environments. Before we
start assuming everyone can do full 100Mbps, I'd like to see a
couple reviews (that aren't included in marketing materials) state
that all the vendors they looked at had no problem at all keeping
up with a heavily utilized, production 100Mbps network. Like they
say about education- make sure you have the basics down pat before
you move on to something more advanced or else you'll end up tripping
up later in the game.

> Other standards and benchmarks I would like to see how IDS solutions
> compare:
>
> Compare IDS vendors on breadth and coverage of IDS solution:
> desktop IDS
> server IDS
> network IDS
> gigabit IDS
> inline IDS

Why? I understand the argument that a single vendor can provide better
integration of all the products, but it seems that it is much more
important to look at how well products interoperate with other products
from different vendors (especially ones that haven't been specially
integrated ahead of time). Trying to be everything to everyone seems
to generally lead to being nothing...

> Compare IDS vendors on ability to offer remote round-the-clock IDS
> monitoring service. We are finding many customers are looking
> to extend this
> value-add service to their IDS, rather than have their entire
> security team
> looking at IDS screens all the time, they can do more
> strategic activities,
> and get an alert from the vendor only when it's serious. And
> does the IDS
> vendor have an Emergency Response Services (ERS) team to help
> deal onsight
> with real incidents?

Again, why? An IDS vendor provides a product to do intrusion detection.
There is no reason to assume that they will (or should) automatically
provide monitoring services. That isn't what their focus is- they should
be focused on providing the best software they can with the tightest,
cleanest codebase and the most effective architecture.

> Compare IDS products based on Signature Coverage and
> Accuracy. How many
> signatures does the IDS have and how many are false positiving? With
> protocol analysis, one issue we have ran into on some
> performance testing,
> is that our signatures are starting to look at the return packets, to
> determine if the attack was successful or not. If not, don't
> send an alarm.
> We had some customers thought we were missing the attack,
> when infact, the
> policy was configured to only alert on when it was
> successful. So they
> have to set up a vulnerable server in that situation if you
> are doing those
> tests.

I agree that this is useful, the problem is that with protocol
analysis, the term signature can get fuzzy. At this point it seems
that number of signatures is less important than ratio of false
positives to true positives. As well as how the products do with
"0-day" attacks".
Checking additional packets to validate an event makes perfect
sense, but frankly I'd rather know I was attacked whether it
was successful or not.

> Compare IDS products on Frequency and Response Time for
> Signature Updates.
> How fast did the IDS vendor respond when Code Red was
> unleashed? How often
> does the IDS really get updated? (like list the last 5
> signature updates and
> the date they each were released).

This is a key point where signatures are required for all events,
but can be hard to track if the vendor only releases their
signatures to their closed customer email lists.

Toby

ALL OPINIONS ARE MY OWN AND IN NO WAY REFLECT THE VIEWS OF MY EMPLOYER
(in case anyone missed it the first time)

Toby Kohlenberg, CISSP, GCIA
Intel Corporate Information Security
Security Technology and Testing Team
Senior Information Security Specialist
503-264-9783 Office & Voicemail
877-497-1696 Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70

Relevant Pages

  • Re: ROI on IDS/IPS products
    ... since an IPS is nothing more than an IDS that can drop traffic;-) ... By purchasing an IPS from a vendor and enabling even *some* of the signatures for blocking I have established that I trust my vendor and I trust the signature authors to write signatures that are good enough to block an exploit or an attempt to exploit a vulnerability. ...
    (Focus-IDS)
  • Re: IPS Implementaion
    ... Moving from an IDS centric world to the IPS side is always a big ... If your vendor differentiates between exploit and vulnerability based ... signatures, go ahead and enable the exploit signatures as they typically ... Test Your IDS ...
    (Focus-IDS)
  • RE: IDS testing...again [WAS: Re: (OpenBSD or Linux)]
    ... Subject: IDS testing...again ... How come vendor Y wasn't in there? ... I think the Mier tests left me with more questions then answers. ... This has been debated quite a bit on this (and other lists) in the past. ...
    (Focus-IDS)
  • RE: TippingPoint Releases Open Source Code for FirstIntrusionPrevention Test Tool, Tomahawk
    ... Oh, I have to disagree with this, and for a one-word reason: ... geared towards making any one vendor look better than all the others...well, ... > FirstIntrusionPrevention Test Tool, Tomahawk ... > much of a vendor presence as TippingPoint or any other IDS ...
    (Focus-IDS)
  • Talisker Site Returns - Rate/Review IDS Now
    ... Our vendor neutral site has been providing salient detail on every single ... Network IPS ... Application IDS ... Network Taps ...
    (Focus-IDS)