NSS Group logo

Intrusion Detection Systems (IDS)

Group Test (Edition 4)

This report is no longer available on line.  However it is still available for purchase in PDF, CD or print versions.

Click here to purchase on line using our secure server.

Foreword

Welcome to the Fourth Edition of the 100Mbps Intrusion Detection System (IDS) Group Test report 

Once again, for this edition we have completely overhauled our testing methodology to bring it more in line with that used in our Gigabit IDS tests. The new methodology includes:

  • A brand new, more up-to-date and wide-ranging set of exploits to test signature recognition
     
  • Extensive IDS evasion tests, including the use of Whisker, fragroute, Sidestep and ADMmutate amongst others
     
  • An extension of our HTTP stress tests to demonstrate how IDS sensors behave in heavily-loaded pure HTTP networks with varying rates of new connections per second
     
  • Improved real-world testing that includes real browsing transactions against a real Web site (not just simulated via the Caw test equipment), together with a mix of protocols
     
  • Stateful operation testing using genuine sessions with up to 1 million users 

Because of the complete overhaul in testing procedures, it was no longer possible to include those vendors who did not have their products re-tested for the latest edition. Back issues of previous editions are still available for you to make your own comparisons with products that were not submitted for this round of tests. 

In this report we have four IDS products, all of which have been reviewed and tested again from scratch using our new methodology. We hope to grow this number for future editions as vendors have their new products submitted under the latest testing procedures. We have also updated the introductory and summary material, which we would encourage you to read since it covers many of the concepts mentioned in the technical evaluations. 

Demand for, and interest in, this report has been tremendous, with well over 12,000 downloads of Edition 3 in the six months following publication. Feedback confirms we are providing a major source of much needed information and advice to security professionals, and The NSS Group IDS Report is considered the definitive guide to IDS.  

Edition 4 provides independent and comprehensive technical evaluations of the current leading products in the market place, and we hope you find it informative and useful. 

Bob Walder

Table of Contents

Introduction
 Host IDS (HIDS)
"Traditional" Host IDS
File Integrity Assessment (FIA)
Intrusion Prevention Systems (IPS)
Network IDS (NIDS)
Network Node IDS (NNIDS)
 Intrusion Prevention Systems (IPS)
Host IPS (HIPS)
 Network IPS (NIPS)
 Which Technology Is The Best
 Problems with IDS
Detection Methods
Pattern Matching
Stateful Pattern Matching
Protocol Decode
Heuristic Analysis
Anomaly Analysis
Which Detection Method Is The Best
 Monitor-Evaluate-Modify:  The Security Cycle

Product Reviews

Cisco IDS-4235 V4.0
 Architecture
 Installation
 Configuration
 Alert Handling
 Reporting and Analysis
 Verdict
 Contact Details

Internet Security Systems Proventia A201
 Architecture
 Intrusion Protection Appliance
 Proventia Network Agent
 Site Protector
 Deployment Manager
 Application Server
 Sensor Controller
 Proventia Site Database
 Event Collector
 Security Fusion Module
 SiteProtector Console
 Installation
 Configuration
 Alert Handling
 Reporting and Analysis
 Verdict
 Contact Details

NFR NID-310 V3.2.1
 Architecture
 Administration Interface (AI)
 Central Management Server (CMS)
 NID Sensor
 Sensor Engine
 Backends
 Packages
 Installation
 Configuration
 Alert Handling
 Reporting and Analysis
 Verdict
 Contact Details

Snort 2.0
 Architecture
 Rule Optimiser
 Multi-Rule Inspection Engine
 Event Selector
 Protocol Flow Analyser
 Output Subsystem
 Installation
 Configuration
 Event Handling
 Reporting and Analysis
 Verdict
 Contact Details

Testing Methodology
 The Test Environment
 Section 1 - Detection Engine
 Test 1.1 - Attack Recognition
 Test 1.2 - Resistence To False Positives
 Section 2 - NIDS Performance Under Load
 Test 2.1 - UDP Traffic To Random Valid Ports
 Test 2.2 - HTTP 'Maximum Stress' Traffic With No Transaction Delays
 Test 2.3 - HRRP 'Maximum Stress' Traffic With Transaction Delays
 Test 2.4 - Protocol Mix Traffic
 Test 2.5 - 'Real World' Traffic
 Section 3 - Network IDS Evasion
 Test 3.1 - Baselines
 Test 3.2 - Packet Fragmentation and Stream Segmentation
 Test 3.3 - URL Obfuscation
 Test 3.4 - Miscellaneous Evasion Techniques
 Section 4 - Statement Operation Test
 Test 4.1 - Attack Replay
 Test 4.2 - Simultaneous Open Connections (default settings)
 Test 4.3 - Simultaneous Open Connections (after tuning)

Test Results

Cisco IDS-4235 Test Results
 Section 1 - Detection Engine
 Section 2 - NIDS Performance Under Load
 Section 3 - Network IDS Evasion
 Section 4 - Stateful Operation Test

Internet Security Systems Proventia A201 Test Results
 Section 1 - Detection Engine
 Section 2 - NIDS Performance Under Load
 Section 3 - Network IDS Evasion
 Section 4 - Statement Operation Test

NFR NID-310 Test Results
 Section 1 - Detection Engine
 Section 2 - NIDS Performance Under Load
 Section 3 - Network IDS Evasion
 Section 4 - Stateful Operation Test

Snort 2.0 Test Results
 Section 1- Detection Engine
 Section 2 - NIDS Performance Under Load
 Section 3 - Network IDS Evasion
 Section 4 - Stateful Operation Test

Summary

Appendix A - Vendor Questionnaires

Appendix B - The Test Equipment
 Spirent Communications SmartBits SMB-6000/SMB-600
 SmartBits Applications
 Caw Networks WebAvalanche and WebReflector

Top         Home

Certification Programs

Group Test Reports

White Papers

On-Line Store

Contact The NSS Group

Home

HomeClick here to purchase electronic (PDF) and hard copy versions of this report
Send mail to webmaster with questions or 
comments about this web site.
Copyright � 1991-2006 The NSS Group Ltd.
All rights reserved.