Just a few short years ago, an IDS was a luxury. Before the rise of the Web application and the worm, most networks were adequately
defended by a firewall at the perimeter and a virus scanner at the mail server. Today, the firewall remains effective against
clumsy DoS attacks and run-of-the-mill exploits, but it’s hard-pressed to thwart application-layer attacks that piggyback
on welcome protocols and worms that wind their way inside the network through any overlooked port or a mobile user’s laptop.
Not only are perimeter defenses less adequate than they used to be, but internal network resources -- including business-critical
applications exposed to the Web -- are more valuable to their companies than ever. Naturally, the double whammy of a hole-ridden
perimeter and an invaluable core has network managers looking for an edge. The IDS is becoming part of the standard toolkit.
We tested four network IDS products in May, June, and July at the Naval Postgraduate School in Monterey, Calif., pitting Internet
Security Systems (ISS) Proventia G200, Lancope StealthWatch 4.0, Snort 2.10, and StillSecure Border Guard 4.3 against both
live Internet traffic and a variety of attacks we launched from penetration testing tool Core Impact 4.0.
Our manual attacks included OS fingerprinting, privilege escalation, DoS, banner grabbing, traversal attacks, and Microsoft
IIS and Apache Web server exploits, among others. More significantly, on the live network, the products were exposed to nearly
a thousand unique “attackers” targeting more than 50 ports, detecting thousands of “events” coming in from the Internet or
from several thousand hosts inside the network. Among the live threats our IDS products confronted were the Sasser worm and
Gator spyware.
As we expected, all four products did a good job detecting threats. With only one exception, in which one IDS initially failed
to identify the Sasser worm, the products successfully alerted us to the presence of all the manual attacks and live threats
they confronted. Although the four proved roughly equal in terms of recognizing attacks, important differences -- ranging
from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken
in detecting threats -- may help dictate which solution best suits your network.
Snort with ACID
Snort is the famous free and open source IDS. It’s supported by an active community of users and developers who regularly
and promptly update Snort’s signatures in response to newly discovered threats. Snort is a great choice if you have more time
than money. When regularly maintained, Snort can be very effective. The downside is that maintenance doesn’t come easy. Snort
requires care from a dedicated expert, and you’ll need to roll up your sleeves and wrestle with a difficult installation and
setup.
You can pull all the files you need off the Snort project, where you’ll also find many tutorials, FAQs, and Snort manuals to help you out. The standard installation of Snort -- ACID
(Analysis Console for Intrusion Databases); PHP, which is required by ACID; and MySQL on Red Hat Linux -- is the best-documented.
A Windows XP installation is also well-documented. Deviations such as Windows 2000 and Microsoft SQL Server 2000 aren’t supported
as thoroughly.
There are three run modes for Snort: Sniffer, Packet Logger, or NIDS (Network IDS). It’s easy to operate in any mode. We installed
Snort on both Windows XP and Red Hat Linux 9.0, running both instances in NIDS mode. The Windows XP installation requires
installing WinPcap 3.0, an architecture for packet capture and network analysis, before installing Snort. We also installed
Barnyard, a free plug-in that offloads Snort logging, helping to accelerate Snort’s packet processing and thereby alleviate
packet loss.
Snort’s strength is its high degree of configurability. Its main weakness is its dependence on (sometimes poor) signatures.
As with all signature-based IDSes, Snort can be defenseless against unknown or “zero-day” attacks until a signature becomes
available. Another problem with Snort is that some of the signatures -- no doubt designed to identify older attacks -- look
for benign words (such as “TOP”) in the payload to determine whether a packet is malicious. As a result, an initial ruleset
from the Snort project gave us several hundred false positives.
Snort developers have addressed this drawback by allowing you to comment out rules that you do not want to use on your network.
The problem with this is, anytime you update your rules with the newest set from Snort.org, you’ll have to comment them out
again. Oinkmaster, an open source Perl script, automates the process of enabling and disabling specified rules after each
update. It was designed to run easily on Unix or Linux, but using it in a 32-bit Windows environment requires that ActivePerl,
GNU, and GNUwget be installed.
We liked the fact that we could use the detection rules that came with Snort or roll out our own. Snort logs packets that
are flagged by Snort rules. The rules themselves are configured in a hierarchical structure and do a good job of capturing
suspicious traffic. When Snort logs in binary mode, it logs the packets in tcpdump format to a single file in a designated
directory. This is especially useful in large installations that will include additional analysis with the Ethereal protocol
analyzer, for example.
ACID is a graphical front end for Snort. Using it isn’t strictly necessary, and it was painful to install on Windows XP and
IIS 5.0 because it also required the installation and configuration of PHP and the JpGraph graph library for PHP. But ACID
is a powerful tool for handling Snort alerts, and it makes a good alternative to analyzing raw Snort data from the command
line. ACID can query Snort’s binary log files or a MySQL, PostgreSQL, Oracle, or Microsoft SQL Server database.
Border Guard 4.3
StillSecure, stillsecure.com
|
 Excellent 8.6 |
|
| criteria |
score |
weight |
| Threat detection |
8 |
30% |
 |
| Management |
8 |
20% |
|
| Ease-of-use |
9 |
10% |
|
| Scalability |
9 |
10% |
|
| Security |
10 |
10% |
|
| Setup |
9 |
10% |
|
| Value |
9 |
10% |
|
|
|
Cost:
Starts at $7,500 for device and $1,500 per year for maintenance (subscription option available)
Platforms:
Management console: Windows, Internet Explorer 6 or later
Bottom Line:
Border Guard brings ease-of-use, multinode management, and intrusion prevention capabilities to Snort. Installation and setup
are fast and easy, the GUI is top-notch, and reporting is excellent, removing all the difficulty of navigating Snort and displaying
attacks and payloads. An excellent choice for signature-based detection and prevention.
|
|
About our Reviews and Scoring Methodology
|
|
Proventia G200
Internet Security Systems, iss.net
|
| Very Good 7.8 |
|
| criteria |
score |
weight |
| Threat detection |
8 |
30% |
|
| Management |
7 |
20% |
|
| Ease-of-use |
8 |
10% |
|
| Scalability |
9 |
10% |
|
| Security |
10 |
10% |
|
| Setup |
6 |
10% |
|
| Value |
7 |
10% |
|
|
|
Cost:
Starts at $11,995
Platforms:
SiteProtector management console: Windows 2000, Windows XP, Windows Server 2003
Bottom Line:
Proventia combines signature-based detection and prevention capabilities with a depth of packet analysis unmatched by its
competitors, making it a good solution for monitoring and enforcing network policies. Time-consuming configuration and a complex
management interface, however, make Proventia less suitable as an everyday IDS.
|
|
About our Reviews and Scoring Methodology
|
|
Snort 2.10 with ACID
Snort.org, snort.org
|
| Very Good 7.3 |
|
| criteria |
score |
weight |
| Threat detection |
7 |
30% |
|
| Management |
6 |
20% |
|
| Ease-of-use |
7 |
10% |
|
| Scalability |
8 |
10% |
|
| Security |
9 |
10% |
|
| Setup |
6 |
10% |
|
| Value |
10 |
10% |
|
|
|
Cost:
Free
Platforms:
Linux, 32-bit Windows, BSD, Mac OS X
Bottom Line:
Snort is a free, flexible, effective rules-based IDS that is difficult to set up and not particularly user-friendly. Multisystem
management isn’t supported, and reporting and management fall short of commercial offerings. On the plus side, you can use
existing rules, which are regularly updated by an active open source community, or configure your own.
|
|
About our Reviews and Scoring Methodology
|
|
StealthWatch 4.0
Lancope, lancope.com
|
| Excellent 8.9 |
|
| criteria |
score |
weight |
| Threat detection |
9 |
30% |
|
| Management |
9 |
20% |
|
| Ease-of-use |
9 |
10% |
|
| Scalability |
9 |
10% |
|
| Security |
10 |
10% |
|
| Setup |
8 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
Starts at $9,995 for M45 appliance
Platforms:
Web management interface: Internet Explorer 6.0 or later, Netscape 6.2 or later
Bottom Line:
StealthWatch tunes into deviations in normal network traffic and host behavior, an approach that enabled it to warn of a Sasser
worm outbreak on the test network ahead of our signature-based detection systems. On the downside, networking expertise is
required to use StealthWatch effectively; novice administrators will be challenged.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
