RE: Juniper and ISS Protocol Anomaly Detection Evaluation



Another key point to keep in mind while working on protocol anomalies is
the difference between anomalies like UDP checksum zero, which is a very
common phenomenon versus HTTP directory traversal like anomalies which
are sure signs of a person trying to exploit. Also keep in mind that
protocol anomalies whould be judged with respect to individual systems.
So,the security appliance should be provisioned with the granularity to
switch off the anomalies for a single/group of hosts.

Thanks
Proneet.

---------------------------------------------------------------
To have known the best, and to have known it for the best, is success in
life.


-----Original Message-----
From: Eric Hanselman [mailto:ehanselman@xxxxxxxxxxxx]
Sent: Wednesday, May 17, 2006 2:17 PM
To: Steven.Williams@xxxxxxxxxxxxxxxxxxxx
Cc: Reynolds, Wayne; Mike Youngs; focus-ids@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Juniper and ISS Protocol Anomaly Detection Evaluation


Folks,

First off, I work for ISS. While this certainly colors my perspective,
I hope that I can add some value.

The Sentriant Security Appliance is a nice idea for managing security in

an Extreme switch today. The detection is pretty limited, though. If
you need something to knock down worm propagation, it will do the trick
at very high speed. Extreme understands the limitations of the
technology and that's why they have partnered with ISS in taking it to
the next level by using ISS X-Force security info. Check out the press
announcements from Interop. While this was a proof of concept that was
demo'd, one might reasonably expect products around this in the
not-too-distant future.

As to the question on the difference in ISS and Juniper's protocol
anomaly detection, this seems to really miss the underlying security
differences. Protocol anomaly detection is a very small piece of
protection. While you should care if attackers are violating RFC's,
it's much more important to determine how well your security provider
detects higher level attacks. Does the solution detect fragmented RPC
attacks? At what minimum fragment size? The Juniper folks have some
difficulties here.

A great test tool to prove all of this is Metasploit. Fire up their WMF

exploit and see who catches it.

Bob Waldron at NSS is about to release the latest round (edition 4) of
his test results. If you can't do the testing yourself, contact him to
see if you can purchase an early copy of the results. He provides
objective criteria and gives detailed analysis.

Hope that this helps.

- Eric

-------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------