I have been asked to include man-hunt and man-trap from Recourse
Technologies into the mix:
Here is the take on their product suite:
They are in the category which are called Honeypots:
(refer to Bellovin and Cheswick 'Firewalls and Internet Security' for a
detailed definition on Honeypots, Lures, and Traps)
Commercially Available:
Man-Hunt/Man-Trap
Network Associates CyberCop Sting
Research/Development
(please fill in here)
Hopefully some trade rag will pick up this thread and assemble a worthwhile
categorization of the Security Products available :)
/cheers
>Add in man-hunt and man-trap from recourse technologies.
>
> > -----Original Message-----
> > From: Mark Teicher [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, August 03, 2000 3:57 PM
> > To: [EMAIL PROTECTED]; Rob Serfozo;
> > [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Intrusion Detection
> >
> > Bill,
> >
> > I have to caveat my response by saying that I now work for an IDS company
> > and only responding to correct Bill's statements..:)
> >
> > Tripwire is actually categorized as a Integrity Checker, as is the Axent
> > Enterprise Security Manager (ESM)
> >
> > Host Based products are : ISS System Scanner, WebTrends Enterprise
> > Edition, etc
> > Network Based products are : NFR 4.11, ISS RealSecure 5.0, NetworkICE
> > Sentry/ICE CAP Console, Cisco IDS (Cisco just recently renamed their
> > NetRanger product to Cisco IDS), Network Associates CyberCop Monitor,
> > Dragon Systems IDS, HiverWorld IDS (should be shipping shortly), Axent
> > NetProwler 3.5/ITA 3.5GA integrated product suite.
> >
> > The real issue with most of the commercially available IDS is the
> > signature
> > or protocol decode recognition. Each IDS has their own way of identifying
> >
> > a particular event, and categorizing against it's internal identification
> > system.
> >
> > Back to your statement regarding TripWire, TripWire for NT is still in its
> >
> > development stage, as in the installation routine is InstallShield, but
> > after the install it is still a CLI driven policy tweaking effort,
> > although
> > generic and default policies are provided.
> >
> > All Network IDS and Host based IDS systems have the capability of either
> > logging to the NT Event log function or Syslog, although syslog.conf is
> > far
> > easier to tweak than the NT Event Log.
> >
> > ISS Real Secure 5.0, 3.2 Console requires NT. Their console only runs on
> > NT.
> > Axent NetProwler 3.5 only runs on NT, Engine, Manager and Console. They
> > do
> > not have a Unix version available
> > Cybercop Monitor 1.0 for NT - uses MMC 1.0 for NT, and I have not seen a
> > working Unix version, but that could be me.
> >
> >
> > I/O processing requirements really for real time IDS systems really
> > depends
> > on the architecture of the particular IDS system. Each vendor has their
> > own
> > magic on how to do stealth packet and analysis capturing.
> >
> > The other item to note, is the learning curve of each IDS system varies
> > from product to product.
> >
> > /hope this helps
> >
> > /mark
> >
> > At 10:20 AM 8/3/00 -0700, [EMAIL PROTECTED] wrote:
> >
> > >Rob,
> > >
> > >IDS products vary considerably. There are host based products like
> > >Tripwire and TCP wrappers. And there are network based products like
> > >Network Flight Recorder and NetRanger. There are also alarm and trap
> > type
> > >products that can be used in conjunction with control devices like your
> > >PIX firewall or routers.
> > >
> > >Generally speaking, the closer the IDS is to the activity you want to
> > >monitor, the more effective it is. In other words, a host based IDS is
> > >better at detecting an attack against the host then a network based IDS
> > >that is watching for host attack packets. IDS code build into your Web
> > >applications are better at detecting Web server attacks then host based
> > IDS.
> > >
> > >If you are talking about host based IDS products for the NT operating
> > >system there are several available although I have only have experience
> > >with Tripwire which I highly recommend. There are several event log
> > >monitors out there, perhaps some of the other list members can make some
> > >recommendations on those products.
> > >
> > >If you are looking at network based IDS products then finding one that is
> >
> > >effective running on the NT platform may prove to be a challenge. The
> > I/O
> > >and processing requirements for real time IDS are difficult to achieve
> > >under UNIX.
> > >
> > >-- Bill Stackpole, CISSP
> > >
> > >
> > >
> > >"Rob Serfozo" <[EMAIL PROTECTED]>
> > >Sent by: [EMAIL PROTECTED]
> > >
> > >08/03/00 07:25 AM
> > >
> > > To: "Firewalls LIST" <[EMAIL PROTECTED]>
> > > cc:
> > > Subject: Intrusion Detection
> > >
> > >We are investigating the installation of Intrusion Detection software.
> > >Wondering if the list had any opinions good or bad towards any product.
> > We
> > >are hoping to be able to run on a Windows platform. We are currently
> > using
> > >a PIX firewall.
> > >
> > >Thanks,
> > >Rob Serfozo
> > >
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> > >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
