__________________________________________________________________________________
Network detectives sniff for snoops
The InfoWorld Test Center evaluates network intrusion detection systems from ISS, Lancope, Snort, and StillSecure
By Victor R. Garza , Joseph L. Roth
Just a few short years ago, an IDS was a luxury. Before the rise of the Web application and the worm, most networks were adequately defended by a firewall at the perimeter and a virus scanner at the mail server. Today, the firewall remains effective against clumsy DoS attacks and run-of-the-mill exploits, but it’s hard-pressed to thwart application-layer attacks that piggyback on welcome protocols and worms that wind their way inside the network through any overlooked port or a mobile user’s laptop.
Not only are perimeter defenses less adequate than they used to be, but internal network resources -- including business-critical applications exposed to the Web -- are more valuable to their companies than ever. Naturally, the double whammy of a hole-ridden perimeter and an invaluable core has network managers looking for an edge. The IDS is becoming part of the standard toolkit.
We tested four network IDS products in May, June, and July at the Naval Postgraduate School in Monterey, Calif., pitting Internet Security Systems (ISS) Proventia G200, Lancope StealthWatch 4.0, Snort 2.10, and StillSecure Border Guard 4.3 against both live Internet traffic and a variety of attacks we launched from penetration testing tool
CORE IMPACT 4.0.
Our manual attacks included OS fingerprinting, privilege escalation, DoS, banner grabbing, traversal attacks, and Microsoft IIS and Apache Web server exploits, among others. More significantly, on the live network, the products were exposed to nearly a thousand unique “attackers” targeting more than 50 ports, detecting thousands of “events” coming in from the Internet or from several thousand hosts inside the network. Among the live threats our IDS products confronted were the Sasser worm and Gator spyware.
As we expected, all four products did a good job detecting threats. With only one exception, in which one IDS initially failed to identify the Sasser worm, the products successfully alerted us to the presence of all the manual attacks and live threats they confronted. Although the four proved roughly equal in terms of recognizing attacks, important differences -- ranging from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken in detecting threats -- may help dictate which solution best suits your network.
(See the full review here)
Source: InfoWorld
http://www.infoworld.com/article/04/08/20/34FEids_
