OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Greg Shipley (gshipleyneohapsis.com)
Date: Tue Feb 26 2002 - 19:08:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 26 Feb 2002, Ralph Los wrote:

    > I can safely say from experience that Cisco's product is not a good
    > way to go. I just finished a penetration test on a client, who had
    > Cisco's IDS in place. The unfortunate fact is that their system
    > didn't see any more than 10% of the things we threw at their network,
    > including fragmented packets, out-of-sequence packets, and other
    > various things I can't disclose. But that's the basics.

    This brings a couple of questions to mind though, for example, was the
    Cisco IDS product running the latest sigs? What version? And did you
    have an ISS box next to it, or any other IDS for that matter, as a point
    of comparison? IMHO, it's a bit unfair to claim that a deployed IDS
    missed "various things you can't disclose" without some basis of
    comparison. (Hell, did the client even have an updated version of the
    Cisco IDS product? Suppose it was a crusty Wheelgroup box left over from
    the 70s? *grin* I could deploy a SNORT box that doesn't detect anything if
    I botch the config enough...)

    In short, I don't doubt that the Cisco IDS box missed some of your
    probing, but I'm not sure how many NIDS platforms WOULD catch all of your
    probing. The current state of NIDS is more targeted at identifying those
    lowly kids. :)

    > I use ISS here as a primary partner, so I'm sort of biased towards
    > their products only that I've used them the most - my focus has been on
    > the networkICE stuff. Never had the pleasure of using EnteraSys - but
    > their "accounting problems" have them as questionable in my book.

    Careful - let's not let Enron'ism bleed into the IDS forum! Kidding
    aside, Enterasys stock may have taken a beating over that announcement,
    but I think if you investigate the actual issue you'll see that this
    isn't, er, as big of a concern as you might think. Besides, wasn't ISS
    slapped with like 5 class-action lawsuits just a few months ago, on the
    basis of releasing misleading projections to shareholders?

    Hell, for that matter, who isn't having problems? :) Give it time, I'm
    sure Cisco will feel it eventually....

    Glad I'm not working for a public company,

    -Greg