Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Juniper and ISS Protocol Anomaly Detection Evaluation

from [Biswas, Proneet] Network Security [Permanent Link]
Subject: RE: Juniper and ISS Protocol Anomaly Detection Evaluation
Date: Thu, 18 May 2006 14:26:02 -0700 
Another key point to keep in mind while working on protocol anomalies is
the difference between anomalies like UDP checksum zero, which is a very
common phenomenon versus HTTP directory traversal like anomalies which
are sure signs of a person trying to exploit. Also keep in mind that
protocol anomalies whould be judged with respect to individual systems.
So,the security appliance should be provisioned with the granularity to
switch off the anomalies for a single/group of hosts.

Thanks
Proneet.

---------------------------------------------------------------
To have known the best, and to have known it for the best, is success in
life.


-----Original Message-----
From: Eric Hanselman [mailto:ehanselman@netscape.net] 
Sent: Wednesday, May 17, 2006 2:17 PM
To: Steven.Williams@computershare.com.au
Cc: Reynolds, Wayne; Mike Youngs; focus-ids@lists.securityfocus.com
Subject: Re: Juniper and ISS Protocol Anomaly Detection Evaluation


Folks,

First off, I work for ISS.  While this certainly colors my perspective, 
I hope that I can add some value.

The Sentriant Security Appliance is a nice idea for managing security in

an Extreme switch today.  The detection is pretty limited, though.  If 
you need something to knock down worm propagation, it will do the trick 
at very high speed.  Extreme understands the limitations of the 
technology and that's why they have partnered with ISS in taking it to 
the next level by using ISS X-Force security info.  Check out the press 
announcements from Interop.  While this was a proof of concept that was 
demo'd, one might reasonably expect products around this in the 
not-too-distant future.

As to the question on the difference in ISS and Juniper's protocol 
anomaly detection, this seems to really miss the underlying security 
differences.  Protocol anomaly detection is a very small piece of 
protection.  While you should care if attackers are violating RFC's, 
it's much more important to determine how well your security provider 
detects higher level attacks.  Does the solution detect fragmented RPC 
attacks?  At what minimum fragment size?  The Juniper folks have some 
difficulties here.

A great test tool to prove all of this is Metasploit.  Fire up their WMF

exploit and see who catches it.

Bob Waldron at NSS is about to release the latest round (edition 4) of 
his test results.  If you can't do the testing yourself, contact him to 
see if you can purchase an early copy of the results.  He provides 
objective criteria and gives detailed analysis.

Hope that this helps.

- Eric


-------------------------------------------------------------------
 



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Juniper and ISS Protocol Anomaly Detection Evaluation, Biswas, Proneet
Next by Date:  Re: IDS Comparison, Bob Walder
Previous by Thread:  Re: Juniper and ISS Protocol Anomaly Detection Evaluation, Eric Hanselman
Next by Thread:  Methods to Log snort alerts in XML, M Askar
Indexes:  [Date] [Thread] [Top] [All Lists]