Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: IDS: RE: IDS Comparison
From: Lister, Justin (justin.listercsfb.com)
Date: Wed Mar 08 2000 - 19:03:08 CST
- Next message: Greg Shipley: "RE: IDS: IDS Comparison"
- Previous message: David Newman: "RE: IDS: IDS Comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--- [IDS Admin] - Forwarding bounced messages: 1. RE: IDS: IDS Comparison [Dragos Ruius <drdursec.com>] 2. IDS Comparison - Conclusion ["Matthew J. Harmon" <xyzkalifornia.com>] ____________________________________________________________________________ ___
From: Dragos Ruiu <drdursec.com> Organization: kyx.net To: "David Newman" <dnewmannetworktest.com>, "Robert Graham" <robert_david_grahamyahoo.com>, "Bill Royds" <broydsHome.com>, "Ron Gula" <rgulanetwork-defense.com>, "John S Flowers" <jflowershiverworld.com> Subject: RE: IDS: IDS Comparison Date: Wed, 8 Mar 2000 14:46:26 -0800 Cc: <idsuow.edu.au>
On Tue, 07 Mar 2000, David Newman wrote: > > Perhaps you were referring to the amount of bandwidth available for user > data after we factor out Sonet/SDH and ATM overhead? Still, a 66-percent hit > is way high, even when ATM is used; 25 percent is probably more like it with > IP-over-ATM-over-Sonet and an Internet packet size distribution model. > > What's more, tier-1 ISPs are moving away from ATM and toward packet over > Sonet, where the overhead is a lot lower (for example, around 600 Mbit/s of > a 622-Mbit/s pipe is available for data). > > , it's beginning to look > > like BlackICE > > can keep up with OC12 as well. BlackICE is very, very fast, and > > I'm pretty sure > > it is the fastest IDS. > > Much as I'm enjoying the current flamefest, would you kindly either put up > independent verification of such claims, or refrain from making them? Not to > single out Network ICE, but the many claims and counterclaims made in recent > days are misleading, even to the learned readers of this list. > > Regards, > David Newman > Network Test > > ps. Disclaimer: Yes, my company conducts independent benchmarks. No, my > comments are not self-serving; we do not conduct testing for vendors, and I > have no particular biases for/against any particular IDS vendor.
I have seen numerous benchmarks that claim single processor db transaction throughput in excess of 600Mbps. As far as I can see the bottlenecks are still all in the PCI busses, so I imagine that OC12 is feasible with lots of RAM, SMP and multiple adapters on multiple busses. Not a cheap solution but the claim of a software OC12 pattern matcher/IDS does not seem so incredulous. If you throw enough traffic routing and machines/CPUS at it you should be able to do OC-48 but one can arguably start to ask how many 4-8 processor Xeons and Cisco front ends you can throw at it before you're obliged to call it a hardware solution :-)....
WIth protocol selective (or 7 layer or pick your favorite marketing euphemism) rule checking and a nice tight ruleset that may fit in RAM/cache I see no reason why this couldn't be acheived by snort, dragon, NFR, ICE, ARMOR, or your favorite McIDS... (Sorry, had to keep with the sarcastic tone of the discussion... :-) running in todays 1Gbps+ processor cores.
Disclaimer: We haven't done benchmarks for anyone besides ourselves... yet. :-)
-- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver
Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com ____________________________________________________________________________ ___
Date: Tue, 7 Mar 2000 18:20:25 -0800 (PST) From: "Matthew J. Harmon" <xyzkalifornia.com> To: idsuow.edu.au Subject: IDS Comparison - Conclusion In-Reply-To: <20000306213828.28095.qmailweb118.yahoomail.com> Message-ID: <Pine.LNX.4.21.0003071802330.12223-100000james.kalifornia.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII
Putting my self in harms way, I am posing the following question:
Of the following NIDS/HIDS products, what are the -realistic- pro's and con's:
RealSecure (ISS) NetRanger (Cisco) BlackICE (NetworkICE) CyberCop (NAI) Dragon (Network Security Wizards) NFR (NFR, Inc.) ARMOR (??) -- insert any other --
Here is a summary of a sensible comparison: Speed, Update Lag (Zero Day, etc), Defrag, Stability/Reliability, Number of Exploits, Bandwidth Cap, Platform, insert any others.
I have my own opinions, however I am looking to get feedback from the industry as a whole.
At current, there are questions arising as to the platform stability (NT), and procesing ability of certain products. Currently I am at the point of needing to make recommendations for an IDS. We are most likely going to be placing it outside of the FW (Currently Raptor - however we have had some -serious- problems with their support and configuration) however - that is not the point of this question.
Although a bit bold - I am looking for a no-holds-barred comparison. Company representatives are requested to make official statements that will most likely be competed with, that's the point of my question. If your product was left out,
Matthew J. Harmon InfoSec Professional ____________________________________________________________________________ ___
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. CREDIT SUISSE GROUP and each of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.