This is good stuff.
The 4 products Adam mentioned perform Network Behavioural Anomaly
Detection (NBAD).
NBAD is an added layer - complimentary to NIDS/NIPS. This is a very
good article for those interested:
http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=163700677&pgno=1
Despite the marketing pitch, MARS is not an NBAD product and should
not be in the NBAD quadrant when Gartner puts it together. Aggregation
and correlation tools like Protego (sorry Cisco..) MARS look at a
bunch of different information and assess the importance of events - a
good NBAD product should profile the behaviour of the network in real
time and not wait for devices to start hinting at issues.
I have questions about products that depend on flow info from routers
etc - if you are being badly DDoSed then I am not sure that these
devices will be accurate in providing the necessary intelligence for
accurate mitigation. In fact Netflow is widely considered to be
inaccurate at times ( I can reference examples of 200% utilisation
reporting etc...), a serious issue for UBB etc, and as we all know
when the bad stuff happens the availability and integrity of the
information is extremely important. Hence why most of the NBAD
platforms can gather information from the wire independent of
Net/c/sflow via SPAN/tap etc.
Also Cisco are investors in Arbor and have incorporated Riverhead. The
Riverhead stuff is very good at dealing with anomalous traffic, and
they are also pushing MARS as some kind of anomaly detection solution.
I have also heard that there is some protocol anomlay detection in
Cisco IDS.
As a representative of Cisco Gary, perhaps you could let us all know
what Cisco's roadmap is for these supposedly competing products they
have invested in? I am confused!
On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
That list is handy, but incomplete.
Cisco MARS should be added. MARS is a SIM product that receives log
information from various sources (firewalls, routers, switches, IDS/IPS,
host logs, antivirus, and more). It also receives netflow, and can
provide very useful security-related information based on it.
Gary
-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Thursday, July 14, 2005 2:21 PM
To: focus-ids@securityfocus.com
Subject: NetFlow for IDS
Netflow data offers a valuable source of IDS information. To this end
Jeff Ames has detailed all known Netflow analysis tools on a single page
at http://securitywizardry.com/protNetFlowA.htm
As always please notify us of any omissions or errors
Regards
Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://SecurityWizardry.com
Phone (+44) (0) 7968 608945
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
That list is handy, but incomplete.
Cisco MARS should be added. MARS is a SIM product that receives log
information from various sources (firewalls, routers, switches, IDS/IPS,
host logs, antivirus, and more). It also receives netflow, and can
provide very useful security-related information based on it.
Gary
-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Thursday, July 14, 2005 2:21 PM
To: focus-ids@securityfocus.com
Subject: NetFlow for IDS
Netflow data offers a valuable source of IDS information. To this end
Jeff Ames has detailed all known Netflow analysis tools on a single page
at http://securitywizardry.com/protNetFlowA.htm
As always please notify us of any omissions or errors
Regards
Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://SecurityWizardry.com
Phone (+44) (0) 7968 608945
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
