In message <[EMAIL PROTECTED]>, Karl-Heinz Jaeger writes:
>KJ>this has been commented my Marcus already, sounds good, but I have no
>idea which and how many predefined scripts are available with NFR
I don't think the number of predefined scripts is an issue here. Let's say for
example there are 300 predefined patterns. But the problem is, that those
patterns match only the default settings of many exploits and trojans. That is
not something I am looking for.
>
>What we basically need is an IDS system that has centralised management
>station and several remote probes. Each of the probes has to be able to
>save
>data on it's own disks in case the main management station is
>unreachable,
>also each probe has to survive and monitor the network even if the main
>station is unreachable for longer than a set amount of time. The IDS has
>to be
>able to scan thru peak traffic which many times reaches 65-70Mbit/s, and
>has
>to monitor fragmented packets and reassable them.
>
>KJ>this sounds like a description of ISS RS, because it does provide
>exactly those mgmt
>functions you asking for including the ability to run the net engines
>offline for as long as you have disk capacity - ehhm, yes you have to
>sync the database afterwards, so you better make sure the detector isnt
>offline for weeks ;->
>to monitor peaks of 65-70Mbps you definitely have to run the engine on
>Solaris Sparcs (300 Mhz+) which makes it a bit more expensive than
>running it on a WINTEL platform - TANSTAFL
We have a farm of Sun boxens here, but they still don't guarantee success, and
IMHO Solaris is definitely not something I want to run IDS on. My first day
experience with Net Ranger was -- SUN Ultra Enterprise 250/300Mhz CPU is too
slow and is happily dropping packets.
Also, what I had to find out the hard way about Net Ranger is that not only
the bandwidth consumption counts, but also the number of sessions.
>KJ>our and our customers experiences are very positive regarding
>RealSecure, while we believe that Net Ranger is limited in its
>capabilities - RS does check for 200+ signatures/protocol decodes -
>again dont know nothing about NFR, you may want to run your own
>evaluation test because thats the only way to really learn about the
>product
Exactly what I have been doing for the last couple of days and will do for the
next couple of weeks. So far I only had time to really test Net Ranger, and
Carric Dooley was right, it can be a pain to get it running.
>
>The monitored environment is pretty simple, consisting of mail servers,
>pop3
>server, web servers, news servers and a few other Internet services,
>peak
>traffic as I said can reach up to 65-70 Mbit/s.
>
>KJ>if the number of services you are monitoring is limited, this does
>not necessarily imply
>that the IDS you are looking for should be limited in its capabilities -
>right?
I gave this info just to describe what kind of traffic I have on this segment of the
network. I am sure performances can vary a great deal with most IDS' if they're tested
in different circumstances and different types of net traffic.
Regards,
Saso
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
