Bill,
I have to caveat my response by saying that I now work for an IDS company
and only responding to correct Bill's statements..:)
Tripwire is actually categorized as a Integrity Checker, as is the Axent
Enterprise Security Manager (ESM)
Host Based products are : ISS System Scanner, WebTrends Enterprise Edition, etc
Network Based products are : NFR 4.11, ISS RealSecure 5.0, NetworkICE
Sentry/ICE CAP Console, Cisco IDS (Cisco just recently renamed their
NetRanger product to Cisco IDS), Network Associates CyberCop Monitor,
Dragon Systems IDS, HiverWorld IDS (should be shipping shortly), Axent
NetProwler 3.5/ITA 3.5GA integrated product suite.
The real issue with most of the commercially available IDS is the signature
or protocol decode recognition. Each IDS has their own way of identifying
a particular event, and categorizing against it's internal identification
system.
Back to your statement regarding TripWire, TripWire for NT is still in its
development stage, as in the installation routine is InstallShield, but
after the install it is still a CLI driven policy tweaking effort, although
generic and default policies are provided.
All Network IDS and Host based IDS systems have the capability of either
logging to the NT Event log function or Syslog, although syslog.conf is far
easier to tweak than the NT Event Log.
ISS Real Secure 5.0, 3.2 Console requires NT. Their console only runs on NT.
Axent NetProwler 3.5 only runs on NT, Engine, Manager and Console. They do
not have a Unix version available
Cybercop Monitor 1.0 for NT - uses MMC 1.0 for NT, and I have not seen a
working Unix version, but that could be me.
I/O processing requirements really for real time IDS systems really depends
on the architecture of the particular IDS system. Each vendor has their own
magic on how to do stealth packet and analysis capturing.
The other item to note, is the learning curve of each IDS system varies
from product to product.
/hope this helps
/mark
At 10:20 AM 8/3/00 -0700, [EMAIL PROTECTED] wrote:
>Rob,
>
>IDS products vary considerably. There are host based products like
>Tripwire and TCP wrappers. And there are network based products like
>Network Flight Recorder and NetRanger. There are also alarm and trap type
>products that can be used in conjunction with control devices like your
>PIX firewall or routers.
>
>Generally speaking, the closer the IDS is to the activity you want to
>monitor, the more effective it is. In other words, a host based IDS is
>better at detecting an attack against the host then a network based IDS
>that is watching for host attack packets. IDS code build into your Web
>applications are better at detecting Web server attacks then host based IDS.
>
>If you are talking about host based IDS products for the NT operating
>system there are several available although I have only have experience
>with Tripwire which I highly recommend. There are several event log
>monitors out there, perhaps some of the other list members can make some
>recommendations on those products.
>
>If you are looking at network based IDS products then finding one that is
>effective running on the NT platform may prove to be a challenge. The I/O
>and processing requirements for real time IDS are difficult to achieve
>under UNIX.
>
>-- Bill Stackpole, CISSP
>
>
>
>"Rob Serfozo" <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>08/03/00 07:25 AM
>
> To: "Firewalls LIST" <[EMAIL PROTECTED]>
> cc:
> Subject: Intrusion Detection
>
>We are investigating the installation of Intrusion Detection software.
>Wondering if the list had any opinions good or bad towards any product. We
>are hoping to be able to run on a Windows platform. We are currently using
>a PIX firewall.
>
>Thanks,
>Rob Serfozo
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
