Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: NetFlow for IDS

from [Joseph Hamm] Network Security [Permanent Link]
Subject: RE: NetFlow for IDS
Date: Sun, 24 Jul 2005 13:06:42 -0400 
Fergus,


In fact Netflow is widely considered to be inaccurate at times ( I can

reference examples of 200% utilisation reporting >etc...), a serious
issue for UBB etc, and as we all know when the bad stuff happens the
availability and integrity of

the information is extremely important. 


Was the >100% utilization numbers a result of duplicate flows?  Flows
reported by multiple devices and that get counted more than once could
alter your numbers.  Tools that are able to de-duplicate flows before
processing can provide more accurate information.

And you're right, complementing exported flow data with native packet
capture is always preferred (especially in anomaly detection) because of
the additional information provided through header and payload
information.

Regards,
Joe

Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm@lancope.com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.

Join Lancope for a complimentary webcast "Exclusive Look at StealthWatch
System v 5.0" at 11 AM ET on Wednesday, July 27, 2005. Register today at
https://lancope.webex.com/lancope/onstage/g.php?d=751852973&t=a.



-----Original Message-----
From: Fergus Brooks [mailto:fergwa@gmail.com] 
Sent: Thursday, July 21, 2005 2:59 AM
To: Gary Halleen (ghalleen)
Cc: focus-ids@securityfocus.com
Subject: Re: NetFlow for IDS

This is good stuff.

The 4 products Adam mentioned perform Network Behavioural Anomaly
Detection (NBAD).

NBAD is an added layer - complimentary to NIDS/NIPS. This is a very good
article for those interested:

http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleI
d=163700677&pgno=1

Despite the marketing pitch, MARS is not an NBAD product and should not
be in the NBAD quadrant when Gartner puts it together. Aggregation and
correlation tools like Protego (sorry Cisco..) MARS look at a bunch of
different information and assess the importance of events - a good NBAD
product should profile the behaviour of the network in real time and not
wait for devices to start hinting at issues.

I have questions about products that depend on flow info from routers
etc - if you are being badly DDoSed then I am not sure that these
devices will be accurate in providing the necessary intelligence for
accurate mitigation. In fact Netflow is widely considered to be
inaccurate at times ( I can reference examples of 200% utilisation
reporting etc...), a serious issue for UBB etc, and as we all know when
the bad stuff happens the availability and integrity of the information
is extremely important. Hence why most of the NBAD platforms can gather
information from the wire independent of Net/c/sflow via SPAN/tap etc.

Also Cisco are investors in Arbor and have incorporated Riverhead. The
Riverhead stuff is very good at dealing with anomalous traffic, and they
are also pushing MARS as some kind of anomaly detection solution.
I have also heard that there is some protocol anomlay detection in Cisco
IDS.

As a representative of Cisco Gary, perhaps you could let us all know
what Cisco's roadmap is for these supposedly competing products they
have invested in? I am confused!










On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:

That list is handy, but incomplete.

Cisco MARS should be added.  MARS is a SIM product that receives log 
information from various sources (firewalls, routers, switches, 
IDS/IPS, host logs, antivirus, and more).  It also receives netflow, 
and can provide very useful security-related information based on it.

Gary


-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Thursday, July 14, 2005 2:21 PM
To: focus-ids@securityfocus.com
Subject: NetFlow for IDS


Netflow data offers a valuable source of IDS information. To this end 
Jeff Ames has detailed all known Netflow analysis tools on a single 
page at http://securitywizardry.com/protNetFlowA.htm

As always please notify us of any omissions or errors

   Regards
Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://SecurityWizardry.com
Phone (+44) (0) 7968 608945




----------------------------------------------------------------------
--
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------------------
--
--

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------------------
--





On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:

That list is handy, but incomplete.

Cisco MARS should be added.  MARS is a SIM product that receives log 
information from various sources (firewalls, routers, switches, 
IDS/IPS, host logs, antivirus, and more).  It also receives netflow, 
and can provide very useful security-related information based on it.

Gary


-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Thursday, July 14, 2005 2:21 PM
To: focus-ids@securityfocus.com
Subject: NetFlow for IDS


Netflow data offers a valuable source of IDS information. To this end 
Jeff Ames has detailed all known Netflow analysis tools on a single 
page at http://securitywizardry.com/protNetFlowA.htm

As always please notify us of any omissions or errors

   Regards
Andy Cuff
Chief Technology Officer
Computer Network Defence Ltd
http://SecurityWizardry.com
Phone (+44) (0) 7968 608945




----------------------------------------------------------------------
--
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------------------
--
--

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
----------------------------------------------------------------------
--




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NetFlow for IDS, Roland Dobbins
Next by Date:  Re: Firewalls (was Re: IDS evaluations procedures), Devdas Bhagat
Previous by Thread:  RE: NetFlow for IDS, Joseph Hamm
Next by Thread:  Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within), mark12_30
Indexes:  [Date] [Thread] [Top] [All Lists]