OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Axent Products - WAS: Re: IDS: IDS for Win2k
From: Greg Shipley (gshipleyneohapsis.com)
Date: Fri Mar 31 2000 - 02:42:32 CST

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------

On Thu, 30 Mar 2000, Bryan Nairn wrote:

> This message is directed toward Chad, or anyone else having in-depth knowledge of
> Axent products. Since I can't seem to get answers to my questions through normal
> channels, I'm posing them here.

Not sure how in-depth my response will be, but I do have some experience
with them. Here goes:
 
> Given a NetProwler device located on the external side of the
> firewall, running a moderate attack detection policy, at what point
> will I see a degradation in performance due to bandwidth? I realize
> this is extremely vague and subjective.

When I did testing on NetProwler (as well as a bunch of other NIDSs - see
http://www.nwc.com/1023/1023f1.html) I tried to determine the "breaking
point" of these products. What I found with NetProwler, running on a
500Mhz PIII-based machine, was that it would start dropping packets around
42% utilization of 100Mbps (about 8,000 pps on our test LAN), HOWEVER,
as strange as this may sound, that didn't seem to affect its usefulness.
I couldn't get it to actually miss many attacks. So it was dropping
packets (frames?) but still catching all of my attacks. (Minus, of
course, fragmented attacks which it missed entirely - NetProwler doesn't
do fragmentation re-assembly).

Keep in mind though that NetProwler has an approach that many other
network-based IDSs do not: it expects its operators to profile the
"protected" LAN. NetProwler builds its policy on a per-machine basis.
Because of this, it forces you to optimize it out of the box (it won't run
without launching a profile process, first). This allows it to discard a
lot of things other IDSs will inspect, HOWEVER, this isn't always a good
thing. (thread for another time). My point is that NetProwler was
optimized on my test network to "watch" over a couple dozen machines -
ONLY. Just keep that in mind - like NFR, I don't know how well it will
scale.

> Does the product perform packet reassembly, or can a circumvent the
> product by launching assaults utilizing fragmented packets?

It does NOT perform packet re-assembly. Or at least, the version I tested
a few months ago did not. Fire up Dug's fragrouter and you'll walk right
past it.

 
> Can I purchase a NetProwler appliance?

No idea. They were using that NetBoost technology at SANS last year,
yeah? I never saw anything that was shipping though....Axent? You guys
on this list?

 
> Is it correct that the sensor/engine portion of the product only runs on NT?

As far as I know, yes, the network-based portion (NetProwler) only runs on
NT. It came from the Internet-tools product, ID-trak (I think that's what
it was called) which was an NT-only product as well.

> Can I employ a number of engines through out a large network
> environment and have them report back to a central console and data
> repository?

Yup - and Axent will tell you it all plugs into Intruder Alert. However,
before you swallow that one, I'd recommend you *try* plugging NetProwler
into Intruder Alert. It's, uh, not fun at all (and a PAIN to view stuff
in).

> If so, how many engines are console and how is database synchronization
> performed?

No idea - sorry, can't help ya on this one.

> Lastly if there is a central data repository what database does it use
> and can I write my own hooks to allow for other database integration?

NetProwler can push SNMP traps, which is how Axent ties it into Intruder
Alert. So I know you can do stuff from there, but again, Axent should be
a lot more helpful in a response.

Hope this helps,

-Greg