R: IDS evaluation
From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)Date: 08/24/02
- Previous message: Gary Halleen: "RE: IDS evaluation"
- In reply to: Elijah Savage: "IDS evaluation"
- Next in thread: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- Reply: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it> To: "Elijah Savage" <esavage3@csc.com> Date: Sat, 24 Aug 2002 12:18:57 +0200
Hi,
In my company, we are using the NFR NID. I can briefly show you some basic
features of this system:
- the whole system is a 3-tier architecture:
1) Network sensor
2) Distribuited Data Broker (DDB), DBMS
3) System Administration Console, Data Analysis Tool
1) Network sensor: analyze the network traffic, using both stateful pattern
matching and protocol anomaly detection. You can modify the detection
algorithms, or you can write your own, using N-code, an event-based language
(a cross between C and PERL). The sensor send every alert to DDB, or spool
them if the DDBs are unavailable.
There are 4 flavours of network sensors:
a) 320D: two giga (for HA), and a 100 interfaces, for sniffing + 100 for
management
b) 320S: one giga and a 100 interfaces + 100 f.m.
c) 315: two 100 interfaces + 100 f.m.
d) 310: one 100 interface + 100 f.m.
Every sensor is selled as an appliance, based on a dual CPU architecture.
The OS is an hardned FreeBSD, running on a CD (tamper-proof). Only the 310
is available as software only.
2) DDB: collect the datas coming from the sensors, and send the
configuration changes back to them. It stores the data in its own DB, and
can send them to other DBMS (using ODBC).
It runs on Solaris or Linux boxes.
3) System Administration and Data Analysis Tool: you can manage the whole
DIDS from one or more of this stations. You can create user groups and grant
them to analyze only the alerts, the manage the system, to modify the
detection alghoritms etc. Using the Data Analysis tool, you can allow your
forensics team, to study the data collected, using complex correlation
methods, and to split them, example showing only the datas for Web
Forensics, or for System Forensics.
This tools run on Windows box.
More on www.nfr.com
Personal Opinions
------------------
I think that the strenghts of the system are:
a) Good performance with heavy weight traffic (up to 800MB), tested in our
labs
a.1) Low ratio of false positives
b) Simple to deploy and to manage in a wide enviroment
c) Highly Customizable, you can modify or write your own detection
algorithms (example I've writed some network testing backend)
d) Simple to tune, you need to modify only some enviroment variables
The weaknesses:
i) The reporting system, is more technical oriented than management
oriented, ie actually you don't have shining reports, but you have all the
data that you need for forensics and for incident handling.
ii) The management interface, sometimes is hard to handle.
If you need other informations, you can contact me.
Ing. Gianpiero Porchia
Security Engineer
ATS - Advanced Telecom Systems
Designing, Testing, Managing Network Quality
Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
E-mail: gianpiero.porchia@atsweb.it
Web site: http://www.atsweb.it
-----Messaggio originale-----
Da: Elijah Savage [mailto:esavage3@csc.com]
Inviato: mercoledi 21 agosto 2002 22.04
A: focus-ids@securityfocus.com
Oggetto: IDS evaluation
I am coming to you experts for a little help. It has come time to renew our
maintenance contract with cisco we have the old netranger product. Well my
company wants me to do a review of 3 products of my choice to see what
other products may provide us a better solution that what we currently
have. We have 12 IDS sensors currently. Can you all recommend 3 products
that will be worth my time to take a look at?
I would greatly appreciate any answers.
- Previous message: Gary Halleen: "RE: IDS evaluation"
- In reply to: Elijah Savage: "IDS evaluation"
- Next in thread: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- Reply: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
