 |
|
Cisco Secure IDS
Model 4210 (rated at 45Mbps)
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
11 |
5 |
|
DDOS/Trojan |
n/a |
n/a |
|
Web |
1 |
1 |
|
FTP |
1 |
1 |
|
SMTP |
n/a |
n/a |
|
POP3 |
n/a |
n/a |
|
ICMP |
n/a |
n/a |
|
Finger |
n/a |
n/a |
|
Total |
18 |
18 |
�
|
IDS Test 2 - Performance Under Load |
0% |
56% |
100% |
� |
� |
|
Small (64 byte) packet test (max 66,000pps) |
100% |
31% |
1% |
� |
� |
|
�Real world� packet test (max 57,000pps) |
n/a |
n/a |
n/a |
� |
� |
|
Large (1514 byte) packet test (max 8176pps) |
n/a |
n/a |
n/a |
� |
� |
�
|
IDS Test 3 - IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
8 |
|
Whisker� |
7 |
7 |
|
Total |
15 |
15 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
n/a |
n/a |
|
Snot� |
n/a |
n/a |
�
Model 4230 (rated at 100Mbps)
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
11 |
11 |
|
DDOS/Trojan |
n/a |
n/a |
|
Web |
1 |
1 |
|
FTP |
1 |
1 |
|
SMTP |
n/a |
n/a |
|
POP3 |
n/a |
n/a |
|
ICMP |
n/a |
n/a |
|
Finger |
n/a |
n/a |
|
Total |
18 |
18 |
�
|
IDS Test 2 - Performance Under Load |
0% |
25% |
50% |
75% |
100% |
|
Small (64 byte) packet test (max 148,000pps) |
100% |
100% |
100% |
100% |
100% |
|
�Real world� packet test (max 57,000pps) |
n/a |
n/a |
n/a |
n/a |
n/a |
|
Large (1514 byte) packet test (max 8176pps) |
n/a |
n/a |
n/a |
n/a |
n/a |
�
|
IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
8 |
|
Whisker� |
7 |
7 |
|
Total |
15 |
15 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
n/a |
n/a |
|
Snot� |
n/a |
n/a |
�
|
Notes: 1.�� Secure IDS was not re-tested for Edition 2, therefore a complete set of test results are not available. Tests that were not included in Edition 1 are marked as �n/a� The Cisco Secure Policy Manager Console made it very easy to follow the attacks in real-time and to determine exactly how many attacks had been detected. The Model 4210 is limited to 45Mbps so we could not perform the full range of tests using this model. We created a new network load test of 66000pps which corresponds to just under 100 per cent load for the 4210, but it could not detect any attacks at that load.� In fact, the 4210 could only detect around 30 per cent of attacks at 37000 pps which means we could only recommended it for use on very lightly loaded networks or for protecting restricted bandwidth Internet connections. Cisco believe that we could have been experiencing problems with a pre-production unit of a brand new product, and are working on the problem at the time of writing. On the other hand, the 100Mbps-rated Model 4230 performed flawlessly right up to 100Mbps loads, detecting 100 per cent of all attacks even at 100 per cent load. Both products displayed excellent attack recognition capabilities, handling all the IDS evasion techniques extremely well – in fact the Cisco Secure IDS product produced the most comprehensive list of individual Web attacks that go to make up each combined Whisker attack. The reporting of alerts was fairly generic in some circumstances (all the Teardrop-style attacks were reported as “fragment overlap” attacks, for example) but accurate nonetheless. Click here
to return to the Cisco questionnaire |
Send mail to webmaster
with questions or�
|