Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation

from [Dmitry V Ushakov] Network Security [Permanent Link]
Subject: Ha: RE: Juniper and ISS Protocol Anomaly Detection Evaluation
Date: Wed, 17 May 2006 14:26:27 +0400 
I would also mention the Tolly Group as an organization which performs 
"indpendent" analysis of IT products in general and ID(P)S products in 
particular.
But I would not fully rely on their results as though all of them state 
that their results are not influenced by the sponsor founding their tests 
still they sometimes get quite diverse results.
The best solution would be of course to make a pilot and test the products 
having them at full control. The aforementioned organizations have their 
test scenarios described but you can figure out your own tests to make 
sure the features you require from the product are actually present in the 
ID(P)S and not in the marketing brochure.

Best regards, 
Dmitriy Ushakov.

Technical expert
Information Security Department
"TechnoServ A/S" Company 

"Chris Hummel" <chris_hummel@hotmail.com> написано 16.05.2006 04:50:14:


Mike,

In this day in age, it has become increasingly difficult to wade through 

the 

vendor bs in an attempt to get an apples to apples comparision of the 
technology that drives the products.  Fortunately, there are other 

groups in 

this world who feel the same way and have taken matters into their own 
hands.  One of the best independent test and evaluation bodies for 

various 

security products is The NSS Group, based out of southern France (I 
believe).  After you locate their web site, find the latest online 

report 

for NIPS and see for yourself the amount of work that is put into their 
evaluations.  Some of the reports (online html version only) are free, 

but 

the vast majority are $100, which isn't that bad when you consider the 

total 

investment that your company is about to make.

Of course, if you prefer to do the testing yourself and also have a 

decent 

lab setup, locate the ISIC (IP Stack Integrity Checker) test tool and 

have 

some fun.  The NSS reports actually delves into the details of their 

testing 

methodology, so one could re-create that portion of the test.

Your last statement hints at signature detection in the attack packet 

versus 

it being spread out over the course of multiple packets (a TCP stream or 

IP 

fragments).  Once again, the NSS report dedicates an entire section to 

this 

type of activity.

Good luck,
-Chris

---------------------------------------------------------------------
From: "Mike Youngs" <myoungs@glenergy.com>
To: <focus-ids@lists.securityfocus.com>
Subject: Juniper and ISS Protocol Anomaly Detection Evaluation
Date: Fri, 12 May 2006 11:05:47 -0400

Hello Everyone,

I am doing a network based intrusion detection and prevention system
evaluation, and have come across something I would like this groups
collective experience to give an opinion on.

For various reasons, we have settled on making a selection between the
Juniper IDP 600C and the ISS Proventia GX5008.  During our evaluation, 

we

have found that Juniper and ISS offer their protocol anomaly detection 

means

in much different ways.  What I would like to hear from this group is 

your

experience and insight with either product's protocol anomaly detection. 

 If

someone has insight and/or experience with both products, that will be 

that

much better.  I hope to find out if each vendor's protocol anomaly 

detection

features are essentially the same thing, or if one is superior over the 
other
and why, so I can make a more informed decision on this feature.

Another way to say it is, does "protocol anomaly detection" mean the 

same

thing to both vendors?  It appears that "attack pattern" means something
different to each vendor.  One considers in the actual string or pattern 

to

look for in a packet, and the other considers is it multiple events when
viewed as a whole could mean an attack on a system.

Any insight would be appreciated!  Thanks in advance,

Mike Youngs
Network Manager
Great Lakes Energy



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 



to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Skype & IPS vendor claims, ROB DIXON
Next by Date:  Re: Snort false positive, Joel Esler
Previous by Thread:  RE: Juniper and ISS Protocol Anomaly Detection Evaluation, Chris Hummel
Next by Thread:  RE: RE: Juniper and ISS Protocol Anomaly Detection Evaluation, Security Focus
Indexes:  [Date] [Thread] [Top] [All Lists]