Evaluating Intrusion Detection Systems

Certainly, you all have at least one firewall in place on your network, and most of you probably have several. However, you might not use an Intrusion Detection System (IDS) on your network in addition to your firewall. I think an IDS is a good idea because it offers more information about events on your network than a firewall alone does.

I recently learned about a couple of great reports on IDSs, and you might want to read them to gain some technical insight into a few popular IDSs. The reports, published by NSS Group (a network and security testing organization), cover IDSs for 10Mbps/100Mbps Ethernet and Gigabit Ethernet networks. For each IDS, NSS Group looked at the architecture, installation process, configuration routine, manageability, event handling, event analysis, and alert reporting.

To test the IDSs, NSS Group established a test environment comprising several products specifically designed for testing and analysis: Network Critical Solutions' Critical TAPs to tap into the ports on a network switch; Spirent Communications' (formerly Caw Networks') WebAvalanche and WebReflector to generate high traffic loads that simulate a variety of network traffic and conditions including browser use, differing traffic speeds, packet loss, user input delay, and aborted transactions; and Spirent's SmartBits to measure network performance. The products and how NSS Group used them are described in more detail in the reports' appendices.

The 10Mbps/100Mbps Ethernet IDS report is NSS Group's fourth report on these products. The products tested were Cisco Systems' IDS 4235 Sensor 4.0, Internet Security Systems' (ISS's) Proventia A201, NFR Security's NID-310 3.2.1, and Snort 2.0.

The Gigabit Ethernet IDS report is NSS Group's second report on these products and covers ISS's RealSecure Gigabit Network 7.0, NetScreen Technologies' NetScreen-IDP 500 2.1; NFR's NID-320 3.2.1; and Symantec ManHunt 3.0.

NSS Group's reports review each product in detail, revealing precisely how the IDS faired in the test environment and showing the product's strong points and weak points under various attack conditions during various load conditions. The reports also provide the testers' opinions of the various products.

The reports are great resources if you're weighing various products for use on your network. The benchmarking is revealing. Even if you already have an IDS, the reports are a great way to see how your product stacks up against others. And the reports contain tidbits of general security-related information that you might not be aware of.

In addition to the IDS reports, NSS Group offers a new report on eight public key infrastructure (PKI) solutions as well as December 2002 reports on six firewalls and five vulnerability-assessment products. You can find all the reports at the NSS Group Web site and read them online after filling out and submitting a simple form or purchase copies of the reports in PDF format or on CD-ROM. http://www.nss.co.uk

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.