Re: R: IDS evaluation: NFR Security
From: David W. Goodrum (dgoodrum@nfr.com)Date: 08/26/02
- Previous message: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- In reply to: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Aug 2002 15:38:34 -0400 From: "David W. Goodrum" <dgoodrum@nfr.com> To: greg.jensen@attbi.com
Hmmm.... I'll try to keep as level a head as possible here. :) Please
forgive me if I start to rant.
Ship an engineer with the box?!?!? When was the last time you took a
look at NFR? Our NID Sensors probably install easier than any other
sensor on the market. The NID boots off a CD, you are asked a few
questions (like, what IP address would you like to give to the
management interface, etc), and you're done. That's it! You are up,
sniffing, recording, and alerting!
Or maybe you're talking about the difficulty in setting up our CMS (aka
DDB). The CMS is designed to have many NIDs reporting to it, so that
all the data/alerts can be in one place for easy correlation analysis.
Well, if you have a tough time running install.sh, and having it ask you
how much disk space you want NFR's database to use, then yes, I can see
how you might find it difficult. I mean, imagine the hassle of having a
database that controls it's own disk size, so you never have to worry
about being a database admin. (sorry about the extreme sarcasm there)
And you can't be talking about the Admin Interface. The Admin Interface
is an easy tool that ANYBODY can install on their desktop to view alerts
in realtime, run top 20 reports, or query the database for more forensic
style reporting. The install is only about 3MB, and doesn't require
anything special, since no data is actually stored on the box running
the Admin Interface. So, I know that's not what you're talking about.
Now, some people used to say, "well you have to know how to code your
own signatures to make NFR work".
And to that I say, "stop living in the past and making comments about
products you haven't seen recently."
That statement used to be true... in 1999. In Q1 2000, we hired l0pht
(now @stake) to write over 500 signatures for us. Since then, every one
of those signatures has been replaced by our own Rapid Response Team.
NFR now ships with a complete signature set, keeping state on all major
protocols (DNS, HTTP, SMTP, etc), doing advanced string matching (i.e.
not just grepping a packet for a string, but actually analyzing the
protocol and searching for the string in the appropriate piece of the
packet(s)), as well as protocol anomaly detection (i.e. this does not
look like HTTP on port 80). Most of our customers no longer write their
own signatures, but the ability to do so is available to those who have
special requirements.
NFR's 300 series is about as "out-of-the-box" as it gets.
The fact is, NFR's had the easiest to use 3-tier architecture (many NIDs
to single CMS (aka DDB) to many Admin Interfaces) on the market for a
long time. Just most people don't know about it. And while NFR's
signature set has at times been lacking, it certainly doesn't lack now.
And in terms of advanced signature sets, go read some of our White
Papers on our website about doing protocol analysis and anomoly
detection to effectively catch hackers while reducing false positives.
I hope people aren't dinging us because we let you review the code
behind our signature set, or let you write your own signatures.
Still don't believe me. I'd be happy to arrange a demo for you. :) Or
anybody else for that matter. Also, I'll be at the SecureWorld Expo in
Seattle in September, and can show you what I'm talking about. Or, SANS
in DC in October.
David W. Goodrum
Senior Systems Engineer
NFR Security
Mobile: 703.731.3765
Office: 240.747.3425
greg.jensen@attbi.com wrote:
>
> I think those of you who know Marcus Ranum (NFR
> Founder/creator) know his background. He was a driving
> force behind the creation of the Gauntlet Firewall and
> FWTK, however, in the world of firewalls, the old
> Gauntlets had one major problem, that NFR suffers with
> today.
>
> That is...they are highly sophisticated, capable,
> strong, but the running joke (even internally on the
> old Gauntlet dev teams) was, you had to ship an
> engineer in the box. NFR is no different. Good
> solution for shops that have the additional staff, and
> the extra bandwidth (time/money/people) to put towards
> that project. If you are looking for an "out of box"
> solution, and one that you can show managment an ROI,
> one that has great reporting, ease of use, and
> simplicity to manage...NFR is not strong here.
>
> To sum up...it is for the "binary-type" who want to dig
> into the nuts and bolts. Most security folks are
> working under limited budgets, strapped-for-employee
> staffs, and don't have the luxery to use such a
> product, as apposed to the dozens of other products
> that are a bit closer (though not perfect) to the "out
> of box" concept.
>
> -GJ
> > Hi,
> >
> > In my company, we are using the NFR NID. I can briefly show you some basic
> > features of this system:
> >
> > - the whole system is a 3-tier architecture:
> > 1) Network sensor
> > 2) Distribuited Data Broker (DDB), DBMS
> > 3) System Administration Console, Data Analysis Tool
> >
> > 1) Network sensor: analyze the network traffic, using both stateful pattern
> > matching and protocol anomaly detection. You can modify the detection
> > algorithms, or you can write your own, using N-code, an event-based language
> > (a cross between C and PERL). The sensor send every alert to DDB, or spool
> > them if the DDBs are unavailable.
> > There are 4 flavours of network sensors:
> > a) 320D: two giga (for HA), and a 100 interfaces, for sniffing + 100 for
> > management
> > b) 320S: one giga and a 100 interfaces + 100 f.m.
> > c) 315: two 100 interfaces + 100 f.m.
> > d) 310: one 100 interface + 100 f.m.
> > Every sensor is selled as an appliance, based on a dual CPU architecture.
> > The OS is an hardned FreeBSD, running on a CD (tamper-proof). Only the 310
> > is available as software only.
> >
> > 2) DDB: collect the datas coming from the sensors, and send the
> > configuration changes back to them. It stores the data in its own DB, and
> > can send them to other DBMS (using ODBC).
> > It runs on Solaris or Linux boxes.
> >
> > 3) System Administration and Data Analysis Tool: you can manage the whole
> > DIDS from one or more of this stations. You can create user groups and grant
> > them to analyze only the alerts, the manage the system, to modify the
> > detection alghoritms etc. Using the Data Analysis tool, you can allow your
> > forensics team, to study the data collected, using complex correlation
> > methods, and to split them, example showing only the datas for Web
> > Forensics, or for System Forensics.
> > This tools run on Windows box.
> >
> > More on www.nfr.com
> >
> > Personal Opinions
> > ------------------
> >
> > I think that the strenghts of the system are:
> > a) Good performance with heavy weight traffic (up to 800MB), tested in our
> > labs
> > a.1) Low ratio of false positives
> > b) Simple to deploy and to manage in a wide enviroment
> > c) Highly Customizable, you can modify or write your own detection
> > algorithms (example I've writed some network testing backend)
> > d) Simple to tune, you need to modify only some enviroment variables
> >
> > The weaknesses:
> > i) The reporting system, is more technical oriented than management
> > oriented, ie actually you don't have shining reports, but you have all the
> > data that you need for forensics and for incident handling.
> > ii) The management interface, sometimes is hard to handle.
> >
> > If you need other informations, you can contact me.
> >
> >
> > Ing. Gianpiero Porchia
> > Security Engineer
> > ATS - Advanced Telecom Systems
> > Designing, Testing, Managing Network Quality
> >
> > Via Salgari, 17 - 41100 Modena - ITALY
> > Tel +39 059 821332
> > Fax +39 059 821492
> > E-mail: gianpiero.porchia@atsweb.it
> > Web site: http://www.atsweb.it
> >
> >
> > -----Messaggio originale-----
> > Da: Elijah Savage [mailto:esavage3@csc.com]
> > Inviato: mercoledi 21 agosto 2002 22.04
> > A: focus-ids@securityfocus.com
> > Oggetto: IDS evaluation
> >
> >
> > I am coming to you experts for a little help. It has come time to renew our
> > maintenance contract with cisco we have the old netranger product. Well my
> > company wants me to do a review of 3 products of my choice to see what
> > other products may provide us a better solution that what we currently
> > have. We have 12 IDS sensors currently. Can you all recommend 3 products
> > that will be worth my time to take a look at?
> >
> > I would greatly appreciate any answers.
> >
-- David W. Goodrum Senior Systems Engineer NFR Security Mobile: 703.731.3765 Office: 240.747.3425
- Previous message: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- In reply to: greg.jensen@attbi.com: "Re: R: IDS evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
