Saso/Carric wrote: Date: Wed, 07 Jul 1999 19:52:53 +0200 From: SiOL CERT <[EMAIL PROTECTED]> Subject: Re: IDS: Net Ranger vs. RealSecure vs. NFR In message <[EMAIL PROTECTED]>, Vin McLellan writes: >In a response to Saso <[EMAIL PROTECTED]>, Carric Dooley <[EMAIL PROTECTED]> >wrote: > >>The main advantages to NFR are it's speed and adaptability. A >>disadvantage may be it's adaptability. =) You will need someone on staff >>with some programming skills to build the custom scripts you may want to >>add to the existing NFR package. > > There are people here who can answer this with specific >recommendations if Saso feels comfortable offering more information about >his environment, but it is my impression is that the vast majority of NFR >customers buy through a consultant/reseller who develops, remarkets, and >applies the appropriate scripts. KJ>this has been commented my Marcus already, sounds good, but I have no idea which and how many predefined scripts are available with NFR What we basically need is an IDS system that has centralised management station and several remote probes. Each of the probes has to be able to save data on it's own disks in case the main management station is unreachable, also each probe has to survive and monitor the network even if the main station is unreachable for longer than a set amount of time. The IDS has to be able to scan thru peak traffic which many times reaches 65-70Mbit/s, and has to monitor fragmented packets and reassable them. KJ>this sounds like a description of ISS RS, because it does provide exactly those mgmt functions you asking for including the ability to run the net engines offline for as long as you have disk capacity - ehhm, yes you have to sync the database afterwards, so you better make sure the detector isnt offline for weeks ;-> to monitor peaks of 65-70Mbps you definitely have to run the engine on Solaris Sparcs (300 Mhz+) which makes it a bit more expensive than running it on a WINTEL platform - TANSTAFL Also, the IDS has to go completely unnoticed, which rules out any active intrusion prevention and standard protocols to send data from remote probe to the central station. KJ> the ISS solution to this problem is running the net engine in stealth mode, i.e. a dual homed host, where there is no ip stack or protocol of any kind running on the monitoring side of the net appliance, while the mgmt link goes through a separate LAN > In that case, you probably will not need local on-site talent with >these capabilities. Check with the NFR resellers in your area, or those >which specialize in your industry or network architecture. RS capability for customized signatures has been limited so far, but will probably be increased in the future (the new static scanner uses TCL, and the RS host agent does support regular expressions, so there may be more in the near future). My original e-mail was sent out to see if anyone has some bad experiences with Cisco's Net Ranger and/or ISS' RealSecure so I could rule them out or at least make a preference choice between them before I have to test them on my network. KJ>our and our customers experiences are very positive regarding RealSecure, while we believe that Net Ranger is limited in its capabilities - RS does check for 200+ signatures/protocol decodes - again dont know nothing about NFR, you may want to run your own evaluation test because thats the only way to really learn about the product The monitored environment is pretty simple, consisting of mail servers, pop3 server, web servers, news servers and a few other Internet services, peak traffic as I said can reach up to 65-70 Mbit/s. KJ>if the number of services you are monitoring is limited, this does not necessarily imply that the IDS you are looking for should be limited in its capabilities - right? Regards, Saso - -- -- Saso Virag | SiOL CERT Security Admin @ SiOL.net | Phone: +386 61 130 15 15 | Fax: +386 61 139 35 00 - -- -- Karl Jaeger BDG
begin:vcard n:Jaeger;Karl-Heinz tel;fax:+49 221 954231 31 tel;work:+49 221 954231 0 x-mozilla-html:FALSE url:http://www.bdg.de org:BDG adr:;;;Colgone;;;Germany version:2.1 email;internet:[EMAIL PROTECTED] fn:Karl-Heinz Jaeger end:vcard
