OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS Testing (WAS: Re: IDS: kernel implementations)
From: Mark Teicher (mark.teichernetworkice.com)
Date: Mon Jul 24 2000 - 22:11:23 CDT


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------

At 06:29 PM 7/24/00 +0100, Talisker wrote:
>Archive: http://msgs.securepoint.com/ids
>
> >
> > - Speed
> > - Accuracy
> > - Response Latency
> > - Overhead
> > - Noise
> > - Stimulus Load
> > - Variability
> > - Usability
>
>Greg
>I like your criteria a lot I'd like to add a few things that are down on the
>list of importance
>
>Whilst I hate to use the C word, how about Cost, I often see this as the
>bottom line and have to compromise most other things to meet it. Much as I
>want to recommend a Rolls Royce solution, if the budget will only stretch to
>a Trabant then thats all they can have.

Cost should not be used a criteria to evaluate the varying differences in
IDS. Cost is a management/executive decision.. Basically they say to
themselves, if they have x and the choices are the following: 1. Cadillac
with lots of armor plating and bulletproof tires (can withstand a direct
grenade hit) 2. A Austin Healy with a bulletproof rear windshield or 3. A
Pinto that has a cardboard cutout of an Audi on top of it, can take one or
two shots, but if it rains the cardboard gets soggy or if it is real windy,
the cardboard flys away.

Cost should be a concern when evaluating and IDS system. Cost again is a
management decision, spend the least amount of money on something that
won't get obsoleted in two months or 3 months.. :)

>Presentation of alerts HTML seems to be becoming more popular, call me old
>fashoned but I like the way a GUI frontend can put more data on the screen
>
>Ability to write ones own signatures

More of the learning curve ease of writing one's own signatures. Every
single IDS product has the ability for an administrator or someone
knowledgeable to craft their own IDS signature. It really is the learning
curve it takes a savvy administrator to learn the differences in N-Code,
Axent verbiage, and ISS Connection/User Defined, etc
N-Code for a saavy user, takes about 3 months to learn, about 9 months to
master and about a year to code at MJR's cat level. ISS Connection/User
Defined, days to figure out, months to muck it up, and many months to
maintain or clean up since RealSecure updates/obsoletes/renames signatures
on a quarterly basis. Axent, well according to their website they update
quarterly, but the last update was quite some time ago, prior to the latest
3.5 release.

>Theres a few other things but I'm already starting to sound like a wish
>list. I put a "possible Features" list together some time ago and put it on
>the NIDS page, some of the things seem a little lame now in retrospect,
>but.....
>www.networkintrusion.co.uk net ids (the direct link isn't working at the
>moment)
Features: The biggest feature one should be observant of, does the IDS do
it's job. Can one use common kiddie scripts and see the alert in the
display or display the event from the database. What parameters are
recorded, (i.e. the details)

Basically, you know how to drive a car, fundamentally there is no
difference in driving a Cadillac, an Austin Healy or a Pinto. Of course,
the ride is smooth in the Cadillac, a little noisy in the Austin Healy, and
possibly quite dangerous in the Pinto. But driving is the same. Turn the
key, aim the car and go.. Well just don't get rear-ended in the Pinto and
make sure the cardboard stays duct-taped to the car.