Nuno-

I noticed in your email you spoke of a lack of centralized
management/correlation, and real-time monitoring in Dragon. I apologize if
you are not that familiar with the product, but there is such functionality.

Please see the following link for more information about the Server side of
Dragon.
http://www.securitywizards.com/server-fb.html
Also, I have included the intro to a great article below your email in which
the author tested several IDSes. He specifically addresses the speed of
Dragon Sensor and the scalability and management of the Dragon Server. It is
by Dragos Ruiu <drdursec.com>. You might what to track down the whole
article and read it.

As for real-time monitoring, Dragon Console is a component of the server
which allows for this. I have several customers with the console up in their
NOC and it has served them quite well.

If you have any questions about any of the above mentioned products, please
feel free to contact me at any time.

Sincerely-

Gary

-----Original Message-----
From: Nuno Fernandes [mailto:nfernandesREAL-SECURE.COM]
Sent: Wednesday, January 17, 2001 3:33 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: Staffing an Intrusion Detection Capability?

Hi,

    Ron I noticed your email is enterasys.com. You guys sell Dragon IDS. I
find it interesting you are asking a question like this. As for staffing,
security personal come in all shape and sizes. It's up to the organization
to fill a spectrum skill set in that group. Most products work well on there
own and have no need to have a full dedicated person monitoring it. They
even have managed server to were all NIDS and or HIDS report to.

P.S. Can you guys please add that to your product, that is one thing it
lacks is real-time monitoring.

#####

kyxspam: IDS comparison part 1: the phantom menace

>An IDS comparison
>
>Jan 12 2001
>Dragos Ruiu
>
>I've been playing around with intrusion detections systems since the early
>nineties. I first put my home on the internet using various archaic forms
>of peer to peer modem networking in 1986 when I used to run a BBS and
usenet
>news off my ancient homebrew 12Mhz 286 System V Unix(still a trademark of
>someone these days :-) system. And it wasn't too long after that (like
>months) before the first hack attempts happened - but it was all in good
fun
>those days, everyone knew each other, and no-one got bent out of shape,
unlike
>today when this kind of behaviour can earn you serious trouble with the
law.
>But ever since those prehistoric computing days, the point that
>intercommunication between systems also poses security problems was made
often
>and loudly, and the value of having multiple security systems to detect
>unauthorized access and tampering with computers over the network has been
>proven to me time and time again. So I've had a fascination with the
devices,
>which eventually led to this comparison test of Intrusion Detection
>Systems(IDS). IDSes as we know them today are a relatively new phenomenon
in
>the computer security field, but they have been improving rapidly and
quickly
>becoming more complex making them difficult for the non-security
specialists to
>understand, and similarly difficult to judge when you are entertaining the
>thought of purchasing one. This article is intended to help you understand
>what these boxes are and give you some, hopefully :-), informed opinions
about
>the leading products on the market and what applications make make sense
for
>each.
>
>If you consider firewalls, passwords and encryption are the network
>equivalent of physical world locks and locked boxes, Intrusion Detection
>Systems, IDSes are the network equivalent of burglar alarms. The metaphor
>is quite good, for just like alarms, IDSes are for some and not for others,
>and like alarms are often only truly productive if tended to by
>knowledgeable and professional individuals - for a perfect alarm is of no
>use if there is no response to it.
>
>The current incarnation of network intrusion alarms, a.k.a. IDSes, are
>software and hardware systems that analyze all the traffic they monitor
>and give alarms and alerts if "suspicious" activity (where "suspicious"
>is defined by an ever evolving set of rules as new forms of vulnerability
>are discovered). The IDS industry is rapidly maturing in the area of
>signatures. Last year, the number of signatures standard in IDSes were in
the
>hundreds and today some of the products here come with in excess of a
thousand
>attack signatures (NSW/Enterasys claims to have over 1400 in their Dragon
>product and though I didn't count, this seems about right). But make no
>mistake, that these products still have some ways to go before these attack
>signature databases are truly comprehensive - as my humble estimate of the
kinds
>of attacks and exploits that are currently feasible numbers somewhere in
excess
>of three thousand (as derived from databases of exploits). All of the
>companies reviewed here have started out with the most popular and
significant
>attacks and are slowly filling in their catalog of signatures over time.
>Since new attacks are being discovered all the time on popular lists such
as
>Bugtraq, the frequency of updates to these attack signatures from the
vendors
>is also important much like virus signature updates are important in an
>antivirus ackage. It's difficult to judge the vendors performance in this
>area, but it's fair to say that it seems like each of the vendors in this
test
>seems to upgrade their software anywhere from once to twice a year with
major
>new releases.
>
>IDS is a relatively new technology, but it is increasing in popularity,
>driven by the number of people starting to entrust valuable or mission
>critical data to computer systems that they feel a need to install good
risk
>management for. Along with this popularity comes a large number of
>commercial entrants, and new products, all with varying marketing claims -
>making purchase and evaluation difficult, particularly as the operation of
>these early generation systems is still an enormously technical task,
>requiring a fairly deep and broad knowledge of networking protocols and
>technology. The difficult part of this kind of evaluation is trying to
>identify the real usefulness of these technologies in improving your
security.
>The complexity of the IDS devices has led some to start being negative
about the
>entire concept of an alarm system, but in my humble opinion they are
inevitable
>evolution of network functions for some applications. So since some of you
will
>have to deploy IDS systems, SecurityPortal.com, and dragostech.com inc.
have
>commissioned this technical study of the market leading professional IDS
>systems.
>
>Because there systems are so complicated, finding technical staff who truly
>understands the operations of IDS can be difficult, and I recommend that if
>you're going to spend the money on alarming your network, it might also be
a
>worthwhile expenditure to bring in an outside consultant for a day to
tweak,
>tune, and optimize your IDS setup rule sets for your network specifics as
well
>as training your operator - this seemingly small step can make a major
>difference to the efficacy of the protection that an IDS can provide. I
>undertook this review, because given the relative dearth of expertise in
this
>area, I can hopefully fill in some blamks for the reader. Having written
some
>IDS components myself (including one of the systems under review here,
Snort)
>I should know a thing or two about the technology and be able to make some
>fair judgements, maybe even saving you some time in evaluating purchase
>decisions for this rapidly emerging technology.
>
>The Test Subjects
>
>A call was sent out to each of the major IDS vendors, to provide us their
>products, with varying degrees of response. Several vendors were
contacted,
>and at the end of the day the ones most anxious to strut their stuff and
>proud of their products were a handful of mid-size, what I would call
>technology leaders, that were left particiating. Interestingly, all of the
>big players bowed out:
>
>Network Associates was asked for their (I'm now told it's discontinued)
>CyberCop:Monitor IDS and their new personal IDS product built into PGP.
>They promised us to send copies, but they never arrived - which was
>interesting since their about face was after we noted that the big Achilles
>heel of IDS applications is that they are extremely CPU intensive at high
>data rates, and a major part of our tests included performance tests (we'll
>cover the test methodology shortly). Some unofficial off the record testing
>indicates that signature coverage of the NA systems is still err...
"maturing."
>
>Internet Security Systems was asked to provide their market share leading
>RealSecure IDS. They declined on the basis that our performance testing
was
>focused primarily on the network aspects of IDS and wouldn't properly
>highlight their extensive host based checking. This wasn't suprising,
>because unofficial gossip had it that ISS routinely refuses to participate
>in evaluations because they feel that as a market leader they can only hurt
>their image in comparisons - which are my words not theirs.
Unsubstantiated
>gossip (and maybe a few unauthorized tests or two :-) says that they are
>fairly thorough, extremely expensive, and certainly not amongst the
fastest,
>but we won't see that verified with an authorized review soon methinks...
so
>enough about that.
>
>One vendor that I was looking forward to testing that bowed out was
>Symmantec/Axent - but they at least had the candor to be very up-front
about
>why. They were just in the process of testing and rolling out a new
version
>as their product currently on the market was getting a bit dated, a major
>new refit and upgrade was in development and they felt their current older
>product would not be put in a favorable light - and they offered to provide
>a copy of the new stuff for ranking as soon as it was available. Kudos to
>them for the refreshing and definitely out of the ordinary candor; which is
a
>pleasant surprise from a vendor these days. I'm certainly going to look at
>their new product when it's released.
>
>The other major player not represented in these tests is the other big
>market share leader, Cisco, mostly due to logistical difficulties of
getting
>their hardware only (they were the only one amongst the vendors who didn't
>have a sw only version of their IDS) units in our lab for testing - they
>offered to let us test it in their lab, but since our test setup consisted
>of about 15 servers, five switches, a handful of hubs and a giant hairball
>of Ethernet cable, the tests weren't exactly portable. We'd still like to
>test their new product as they've updated their aging 200 signature
>(a previously laughably small number) hardware with new systems recently.
>Their product also is the only one to benefit from integration with their
>Catalyst switches and can examine all the ports on the switch when their
>"Blade" IDS card is in their switches, a unique advantage, but not as
>significant for typical aplications as one might think, because with
careful
>location at network choke points all of the products reviewed here can
function
>adequately even in a switched environment.
>
>The companies who did want to have their stuff evaluated were all what I
>would call the "technological innovators" in this field:
>
>Network Flight Recorder - Arguably one of the earliest players in the IDS
>arena, NFR provided us with both copies of their standalone NFR 5.0 IDS
>dedicated software including their sensor system and console analyzer and
>one of their 1U rackmount security appliances. Their aplication was by far
the
>most polished and mature IDS product on the market. Though performance
limited
>if you enable its extensive checks on very loaded networks, it makes a good
>choice for shops willing to dedicate boxes to the IDS task or are willing
to
>buy the NFR apliance. NFR, whose sensor runs on a dedicated custom version
of
>OpenBSD takes a lot of heat on mailing lists from the hackers for their
choice
>of Windows control consoles, but for a lot of shops where this is the
primary
>daily user desktop environment, this makes a lot of sense. Marcus Ranum
and the
>entire team at NFR were very helpful during these tests, and they obviously
>take pride and care in their work on this product.
>
>Intrusion.com provided us with both copies of the standalone SecureNetPro
>IDS, their central console software and one of their rackmount security
>appliances. Their system was surprisingly polished for a first revision,
and
>they were very strong - especially for Linux environments which is the OS
this
>software is based upon. The Intrusion.com team in Richardson, TX, has done
an
>excellent job with this new product and I'd like to thank them for their
>assistnace and participationinthese tests.
>
>Network Security Wizards / Enterasys provided us with copies of their
entire
>security suite, their sensor software, several console systems (one for
>midsize multiple sensor installations, and it's bigger brother for large
>enterpris-wide level deployments). This product is all about speed and
large
>deployments, and make a great deal of sense for large networks. It was the
>only solution for Solaris shops here and ran on a whole host of OSes with a
>HTTPS based interface. I would also like to extend my thanks to Ron Gula
from
>NSW/Enterasys for his helpful suggestions on test methodology.
>
>Network ICE Corporation provided us with the "serious" big brother to their
>popular BlackICE personal IDS system - BlackICE Sentry. This superset of
>their personal system is intended to be deployed as a dedicated sensor. I
>must also thank Robert Graham their chief technical wizard for his
support, and
>for the kind donation of hardware to assist the testing. As a company they
>are obviously putting in a lot of development effort are are proud of their
>product (not meaning to denigrate any of the participants here, who all
>obviously have large competent development teams rolling out product
release
>quite often, typically every 6 months from my past observation as a
>technology watcher in this field). They were eager to have their systems
>ranked, and even though like Axent they were rolling out a major upgrade to
>their software, they were so positive about these tests that they provided
>us a system with their current release and a beta of their new 2.5 version
>(which they put heavy disclaimers on because it was still undergoing QA
>testing, though at the end their beta performed like a champ and was stable
>making their preemptive disclaimers moot). Unfortunately time restrictions
>did not permit us to set up their centralized console software unlike the
>three previous subjects. But their product was unique amongst the entrants
in
>that it ran on a Windows/NT box, making it the only choice available
>here for those few shops these days that are still allergic to unix.
>
>The last player to be tested is the other major market share leader (at
>least according to surveys done by Counterpane and others) which is vying
>with Cisco and ISS for market share top dog position but isn't really a
>commercial system like the othersL the open-source, free, "Snort" IDS
written
>by Martin Roesch (pronounced "resh"). For the longest time it had bugged
me
>that all of the articles discussing commercial IDSes always overlooked
>Snort so I vowed to make a point of including it in these comparisons.
>Though it is free, the technology assembled by the community of
>volunteers Marty has coalesced is putting out one of the feature-leading,
>best-supported, IDS products out there. But I have to be careful of what
I say
>here, and I should be up front that I'm a Snort supporter and one of the
>project admins myself - I've written a chunk or two of code for Snort and
>spent some time volunteering and answering questions about its deployment
>as well as occasionally doing some consulting on the setup of Snort IDSes
>for my customers. But that said and with my bias exposed up front,
throughout
>these tests I wanted to make sure that the evaluations were fair and no
>advantage was given to Snort in the rankings because of my familiarities
with
>its internals (Or for Dragon for that matter, as it was the other IDS here
that
>I had used before) - and I actually think that if anything the way the
tests
>were set up in this first pahse of tests focused on small and midsize
>enterprise applications I was harder on Snort than any, picking areas in
the
>evaluation criteria where Snort is notably weak, such as documentation and
ease
>of setup. I'd thank Marty and the rest of the Snort volunteers, but they
are
>already all probably sick of my blathering on about this stuff, so I'll
jsut
>shut up... :-)
>
>Internally all of these IDS systems are built around similar cores of
>operation, so the knowledge of Snort strengths and weaknesses has hopefully
>played into creation of an effective set of evaluations for all of them.
>Most of the tests were done with Snort 1.6.3 but in the last few days of
>tests, the new 1.7 version was released, so fitting in to the pattern
>established with NetworkICE both versions were tested. Snort runs on a
>whole host of different platforms, giving it the widest usage profile here.
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]