[49330] in North American Network Operators' Group
RE: IDS experience's - summary
daemon@ATHENA.MIT.EDU (JC Dill)
Fri Jun 28 17:58:08 2002
Date: Fri, 28 Jun 2002 15:00:03 -0700
To: <bknicely@nyc.rr.com>, "Nanog@Merit. Edu" <nanog@merit.edu>
From: JC Dill <nanog@vo.cnchost.com>
In-Reply-To: <NEBBJJINCMAJHLJNMHHLAEAJFOAA.bknicely@nyc.rr.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 08:46 AM 6/28/02, Brandon Knicely wrote:
>
>Thanks to those that responded, content listed below with a few comments of
>my own. Also welcome additional discussion.
It appears that this recent report was overlooked:
<http://www.nwfusion.com/techinsider/2002/0624security1.html>
Crying wolf: False alarms hide attacks
Eight IDSs fail to impress during the monthlong test on a production network.
By David Newman, Joel Snyder and Rodney Thayer
Network World, 06/24/02
One thing that can be said with certainty about network-based
intrusion-detection systems is that they're guaranteed to detect and
consume all your available bandwidth. Whether they also detect network
intrusions is less of a sure thing.
Those are the major conclusions of our first-ever IDS product comparison
conducted "in the wild." Unlike previous tests run in lab settings, we put
seven commercial IDS products and one open-source offering on a live ISP
segment to see what they'd catch.
What we found wasn't encouraging:
Several IDSs crashed repeatedly under the burden of the false alarms
they churned out.
When real attacks came along, some products didn't catch them and others
buried the reports so deep in false alarms that they were easy to miss.
Overly complex interfaces made tuning out false alarms a challenge.
Because no product distinguished itself, we are not naming a winner (See
"No cigar"). The eight products we tested - from Cisco, Intrusion, Lancope,
Network Flight Recorder (NFR), Nokia (running on OEM version of Internet
Security Systems RealSecure 6.5), OneSecure, Recourse Technologies and the
open-source Snort package - all ask too much of their users in terms of
time and expertise to be described as security must-haves.
(follow the URL above for the whole story)
jc
