Re: NetFlow for IDS

From: Fergus Brooks (fergwa_at_gmail.com)
Date: 07/21/05

  • Next message: Sekurity Wizard: "RE: Editing ISS RealSecure Network Sensor policy from commandline" 
    Date: Thu, 21 Jul 2005 14:58:57 +0800
To: "Gary Halleen (ghalleen)" <ghalleen@cisco.com>

    This is good stuff.

    The 4 products Adam mentioned perform Network Behavioural Anomaly
    Detection (NBAD).

    NBAD is an added layer - complimentary to NIDS/NIPS. This is a very
    good article for those interested:

    http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=163700677&pgno=1

    Despite the marketing pitch, MARS is not an NBAD product and should
    not be in the NBAD quadrant when Gartner puts it together. Aggregation
    and correlation tools like Protego (sorry Cisco..) MARS look at a
    bunch of different information and assess the importance of events - a
    good NBAD product should profile the behaviour of the network in real
    time and not wait for devices to start hinting at issues.

    I have questions about products that depend on flow info from routers
    etc - if you are being badly DDoSed then I am not sure that these
    devices will be accurate in providing the necessary intelligence for
    accurate mitigation. In fact Netflow is widely considered to be
    inaccurate at times ( I can reference examples of 200% utilisation
    reporting etc...), a serious issue for UBB etc, and as we all know
    when the bad stuff happens the availability and integrity of the
    information is extremely important. Hence why most of the NBAD
    platforms can gather information from the wire independent of
    Net/c/sflow via SPAN/tap etc.

    Also Cisco are investors in Arbor and have incorporated Riverhead. The
    Riverhead stuff is very good at dealing with anomalous traffic, and
    they are also pushing MARS as some kind of anomaly detection solution.
    I have also heard that there is some protocol anomlay detection in
    Cisco IDS.

    As a representative of Cisco Gary, perhaps you could let us all know
    what Cisco's roadmap is for these supposedly competing products they
    have invested in? I am confused!

    On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
    > That list is handy, but incomplete.
    >
    > Cisco MARS should be added. MARS is a SIM product that receives log
    > information from various sources (firewalls, routers, switches, IDS/IPS,
    > host logs, antivirus, and more). It also receives netflow, and can
    > provide very useful security-related information based on it.
    >
    > Gary
    >
    >
    > -----Original Message-----
    > From: Andy Cuff [mailto:lists@securitywizardry.com]
    > Sent: Thursday, July 14, 2005 2:21 PM
    > To: focus-ids@securityfocus.com
    > Subject: NetFlow for IDS
    >
    >
    > Netflow data offers a valuable source of IDS information. To this end
    > Jeff Ames has detailed all known Netflow analysis tools on a single page
    > at http://securitywizardry.com/protNetFlowA.htm
    >
    > As always please notify us of any omissions or errors
    >
    > Regards
    > Andy Cuff
    > Chief Technology Officer
    > Computer Network Defence Ltd
    > http://SecurityWizardry.com
    > Phone (+44) (0) 7968 608945
    >
    >
    >
    >
    > ------------------------------------------------------------------------
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    > --
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >

    On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
    > That list is handy, but incomplete.
    >
    > Cisco MARS should be added. MARS is a SIM product that receives log
    > information from various sources (firewalls, routers, switches, IDS/IPS,
    > host logs, antivirus, and more). It also receives netflow, and can
    > provide very useful security-related information based on it.
    >
    > Gary
    >
    >
    > -----Original Message-----
    > From: Andy Cuff [mailto:lists@securitywizardry.com]
    > Sent: Thursday, July 14, 2005 2:21 PM
    > To: focus-ids@securityfocus.com
    > Subject: NetFlow for IDS
    >
    >
    > Netflow data offers a valuable source of IDS information. To this end
    > Jeff Ames has detailed all known Netflow analysis tools on a single page
    > at http://securitywizardry.com/protNetFlowA.htm
    >
    > As always please notify us of any omissions or errors
    >
    > Regards
    > Andy Cuff
    > Chief Technology Officer
    > Computer Network Defence Ltd
    > http://SecurityWizardry.com
    > Phone (+44) (0) 7968 608945
    >
    >
    >
    >
    > ------------------------------------------------------------------------
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    > --
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Sekurity Wizard: "RE: Editing ISS RealSecure Network Sensor policy from commandline"

    Relevant Pages

    • Re: Looking for feedback on anomaly-based IDS systems
      ... I run the Enterasys Dragon NBAD in conjunction with Sig Based IDS. ... I have a Dragon Security Command Console. ... I think of NBAD as reverse signature based. ...
      (Focus-IDS)
    • RE: NetFlow for IDS
      ... Cisco MARS should be added. ... Subject: NetFlow for IDS ... Netflow data offers a valuable source of IDS information. ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)