Just a few short years ago, an IDS was a luxury. Before the rise of the Web application and the worm, most networks were adequately defended by a firewall at the perimeter and a virus scanner at the mail server. Today, the firewall remains effective against clumsy DoS attacks and run-of-the-mill exploits, but it’s hard-pressed to thwart application-layer attacks that piggyback on welcome protocols and worms that wind their way inside the network through any overlooked port or a mobile user’s laptop.
Not only are perimeter defenses less adequate than they used to be, but internal network resources -- including business-critical applications exposed to the Web -- are more valuable to their companies than ever. Naturally, the double whammy of a hole-ridden perimeter and an invaluable core has network managers looking for an edge. The IDS is becoming part of the standard toolkit.
We tested four network IDS products in May, June, and July at the Naval Postgraduate School in Monterey, Calif., pitting Internet Security Systems (ISS) Proventia G200, Lancope StealthWatch 4.0, Snort 2.10, and StillSecure Border Guard 4.3 against both live Internet traffic and a variety of attacks we launched from penetration testing tool Core Impact 4.0.
Our manual attacks included OS fingerprinting, privilege escalation, DoS, banner grabbing, traversal attacks, and Microsoft IIS and Apache Web server exploits, among others. More significantly, on the live network, the products were exposed to nearly a thousand unique “attackers” targeting more than 50 ports, detecting thousands of “events” coming in from the Internet or from several thousand hosts inside the network. Among the live threats our IDS products confronted were the Sasser worm and Gator spyware.
As we expected, all four products did a good job detecting threats. With only one exception, in which one IDS initially failed to identify the Sasser worm, the products successfully alerted us to the presence of all the manual attacks and live threats they confronted. Although the four proved roughly equal in terms of recognizing attacks, important differences -- ranging from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken in detecting threats -- may help dictate which solution best suits your network.
Snort with ACID
Snort is the famous free and open source IDS. It’s supported by an active community of users and developers who regularly and promptly update Snort’s signatures in response to newly discovered threats. Snort is a great choice if you have more time than money. When regularly maintained, Snort can be very effective. The downside is that maintenance doesn’t come easy. Snort requires care from a dedicated expert, and you’ll need to roll up your sleeves and wrestle with a difficult installation and setup.
You can pull all the files you need off the Snort project, where you’ll also find many tutorials, FAQs, and Snort manuals to help you out. The standard installation of Snort -- ACID (Analysis Console for Intrusion Databases); PHP, which is required by ACID; and MySQL on Red Hat Linux -- is the best-documented. A Windows XP installation is also well-documented. Deviations such as Windows 2000 and Microsoft SQL Server 2000 aren’t supported as thoroughly.
| Test Center Scorecard | ||||||||
|---|---|---|---|---|---|---|---|---|
 |  |  |  |  |  |  |  | |
| 30% | 20% | 10% | 10% | 10% | 10% | 10% | ||
| Border Guard 4.3 | 8 | 8 | 9 | 9 | 10 | 9 | 9 |
8.6
Very Good
|
| 30% | 20% | 10% | 10% | 10% | 10% | 10% | ||
| Proventia G200 | 8 | 7 | 8 | 9 | 10 | 6 | 7 |
7.8
Good
|
| 30% | 20% | 10% | 10% | 10% | 10% | 10% | ||
| Snort 2.10 with ACID | 7 | 6 | 7 | 8 | 9 | 6 | 10 |
7.3
Good
|
| 30% | 20% | 10% | 10% | 10% | 10% | 10% | ||
| StealthWatch 4.0 | 9 | 9 | 9 | 9 | 10 | 8 | 8 |
8.9
Very Good
|
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
