Sorry Kyle, this is in response to your mail, but not "directed" at you :)
On Wed, 6 Sep 2000, Haugsness, Kyle wrote:
> So if you need to watch some big pipes, start taking a look at other
> products such as Network Flight Recorder (hi Marcus), Network Security
> Wizards' Dragon, or even snort.
Currently NFR's solution is also based on the load balancer. NFR admits
that their product cannot accurately watch for things like portscans
across multiple hosts in a load balanced setup:
NFR's response to me:
# Just following up to make sure you got my last email (about 2 weeks ago)
# saying that you were correct in that our load balancing solution would
# not work in the situation you described.
<snip>
# However, this still works fairly well because generally portscans
# involve a large number of ports.
<snip>
I'm not sure which Internet that NFR's connected to, but it must be
something other than the one I'm on. Programs like wu-scan exist for the
sole purpose of doing single port scanning across entire network segments
looking for hosts with a specific exploit. This is not the first program
like this, nor will it be the last.
Network-based IDS seems to still be aimed at the small network, although
every commercial host-based IDS I've found doesn't include port-level
watching on the host. I'd really like one of the commercial IDS people
make a host IDS with port-level detection built in, but I've yet to find
one... unless you run the FREEWARE portsentry (unix-only) with it,
then most commercial IDS can watch logs and report.. but at that point,
why bother since portsentry can already run custom commands on it's
own (like e-mailing the NOC that scans are in progress).
- Aaron Schultz
- [EMAIL PROTECTED]
------
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ / ASCII Ribbon Campaign
X - NO HTML/RTF in e-mail
/ \ - NO Word docs in e-mail
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
