Very Computer

Hello All,

Although Intrusion Detection is a relatively new technology in the
commercial security product market; I was wondering if the fellow
members can share their experiences with different tools that are out
there. I am aware of Cisco's prodcuts : NetRanger and NetSonar, ISS's
RealSecure and System Scanner and Network Associates's *cop
(formerly known as Batista ).

I am also looking for specific information wrt how these (or any other
commercial IDT tool) intergrate with:

(1)HP OPENVIEW or a network monitoring package
(2)Checkpoint Firewall-1 or any other real firewall (CISCO PIX is not a
*real* firewall though Cisco may call it one)
(3)Integration with Cisco router or other router ACLs
(4)Scalability (in say 2000 node environment)

Thank you

Shashi

Quote:>RealSecure and System Scanner and Network Associates's *cop
>(formerly known as Batista ).

You're referring either to *Cop Network, NAI's network intrusion
detection system, or *Cop Scanner, NAI's risk-assessment tools.
*Cop Scanner was formerly known as Ballista, a medieval siege tool.
Batista was the former dictator of Cuba, prior to the island's socialist
revolution.

In this discussion, you probably want to be considering *Cop Network,
as the scanner does not perform real-time intrusion detection.

Quote:>(1)HP OPENVIEW or a network monitoring package

Cisco NetRanger is now licensed by HP for their OPENVIEW system, and is
thus integrated with it.

Quote:>(2)Checkpoint Firewall-1 or any other real firewall (CISCO PIX is not a
>*real* firewall though Cisco may call it one)

ISS RealSecure is integrated with CheckPoint Firewall-1 (or at least it
was announced that it was).

Integration with firewalls is not necessarilly a good idea. IPv4 is not
authenticated. Attackers can spoof attacks that will cause IDS-assisted
firewalls to block traffic to legitimate (and important) addresses, such
as the root nameservers.

For more information about concerns with network intrusion detection,
check out our technical report on IDS vulnerabilities at:

        http://www.veryComputer.com/

--
-----------------------------------------------------------------------------
Thomas H. Ptacek                           SNI Labs, Network Associates, Inc.
-----------------------------------------------------------------------------
http://www.veryComputer.com/~tqbf        "If you're so special, why aren't you dead?"

Hi,..

NetRanger was developt br Wheelgroup and not by Cisco. NetRanger is a very
handy tool, it works with HP OpenView and other Network Management
packages. The big advantage of NetRanger is, that you can apply filters on
the fly (depending on policies)
(I worked with NR and Borderguard Systems).
To your question about the scalability: You could have a couple of
Directors, and alot of Sensors (as far as I know, you would need 1 sensor
for each router). So 2000+ hosts are possible. Intergration with Cisco
routers is as far as I know possible (even though, i don't know how they
handle the filter on the fly part).

Hope that helps

Michael