Frank,
This is an unfair, and inaccurate, generalization on Cisco IPS. I can't
speak for ISS or Juniper, but assume the same there.
Since Cisco IDS 4.1, verbose alert information has been available, and is
part of the alert (when enabled). In 4.1, this was referred to as
TriggerPacket data, and now is called Verbose Alert. A Cisco verbose alert
contains all information normally existing in an IDS/IPS alert, as well as a
PCAP of the packet that triggered the alert. You can analyze this packet in
whichever tool you prefer, just as if you'd captured it with tcpdump.
Over the last several years, Cisco has had a great track record of releasing
new signatures in a very short time period when new threats are discovered.
Since January 1, 2006, there have been 92 signature updates. When new
threats (especially dangerous threats), a new signature update is released
in a very short time -- sometimes hours.
Additionally, all Cisco IPS signatures are open. You are able to view all
or most fields of signatures, create your own, and modify existing
signatures. You do not need to wait for Cisco to release new signatures if
you have sufficient IDS/IPS skills to write a new signature. If you can
write a snort rule, you can write a Cisco IPS signature.
Gary
On 10/4/07 7:29 PM, "frankfrydrych@gmail.com" <frankfrydrych@gmail.com>
wrote:
Hola,
I would completely go with a signature based IDS. Anomaly based IDS will not
give you the greatest results.
For signature base I highly recommend SNORT. It is probably one of the best
IDS out there. Now I'm not just saying this as a "ooh open source is the
best". I truely believe this. I actually use to be a huge Cisco buff and just
dealt with Cisco IDS. However, at my current job I am a security analyst and
have to analyze events from Cisco, IIS, Juniper, etc, and SNORT beats them
all. Mainly for the fact that you are able to see the packet payload and are
able to make the decision if something is malicious based on the actual
payload and not just the signature that is triggered (like some IDS). Also,
when a new threat emerges usually SNORT users will create a signature to
combat the threat. The other vendors create the signatures for you and it
usually ends up to be like 3 months after the threat was actually a realistic
threat. And on top of it the vendor signatures usually give out huge amount of
false positves. Then again, an IDS is only as good as who tunes it. If you
take A
NY IDS and turn it on in a production network you will have so many false
positives I garuntee you will miss actual threats. Every IDS (including SNORT)
has to be tuned for the production network it is on.
Finally, make sure to place the IDS behind the firewall. If you place it in
front of the firewall you will receive so much traffic that it is just not
valuable data. You have a firewall, so let the firewall do its job and block
the already known bad activity, and catch what gets through the firewall with
a IDS.
-FF
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr
o_sfw
to learn more.
------------------------------------------------------------------------
The Hacker only has to be right once...
Stay Secure!
Gary Halleen, CISSP ISSAP, CHP
Consulting Security Engineer
Western Area Security Team
Cisco Systems
5300 SW Meadows Road, Suite 300
Lake Oswego OR 97035
(503) 598-7134
Author, Security Monitoring with CS-MARS, ISBN: 1587052709
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
