 |
|
Enterasys Dragon Sensor 4.2
|
IDS Test 1 � Attack Recognition |
Attacks |
Detected |
|
Port scans |
5 |
5 |
|
Denial of Service� |
11 |
9 |
|
DDOS/Trojan |
n/a |
n/a |
|
Web |
1 |
1 |
|
FTP |
1 |
1 |
|
SMTP |
n/a |
n/a |
|
POP3 |
n/a |
n/a |
|
ICMP |
n/a |
n/a |
|
Finger |
n/a |
n/a |
|
Total |
18 |
16 |
�
|
IDS Test 2 - Performance Under Load |
0% |
25% |
50% |
75% |
100% |
|
Small (64 byte) packet test (max 148,000pps) |
100% |
100% |
100% |
70% |
11% |
|
�Real world� packet test (max 57,000pps) |
n/a |
n/a |
n/a |
n/a |
n/a |
|
Large (1514 byte) packet test (max 8176pps) |
n/a |
n/a |
n/a |
n/a |
n/a |
�
|
IDS Test 3 - IDS Evasion Techniques |
Attacks |
Detected |
|
Fragrouter |
8 |
8 |
|
Whisker� |
7 |
7 |
|
Total |
15 |
15 |
�
|
IDS Test 4 - Stateful Operation |
Attacks |
Vulnerable? |
|
Stick |
n/a |
n/a |
|
Snot� |
n/a |
n/a |
�
|
Notes:
1.�� Although the above results have been updated since Edition 1 (to reflect an update of the product from version 4.1 to 4.2) Dragon Sensor was not fully re-tested for Edition 2, therefore a complete set of test results are not available. Tests that were not included in Edition 1 are marked as �n/a� Dragon Sensor provides no real-time monitoring of attacks � it all has to be done via reporting. Nor it is easy to clear down or filter out old attacks, making it very cumbersome to determine the exact number of attacks detected. Despite having the biggest library of signatures (over 1100) of the products tested, Dragon surprised us by missing Chargen and SYN Flood attacks. Jolt2 and WinNuke were also incorrectly identified � indeed all DOS attacks were detected as variations of �fragmented IP packets� or �dynamic TCP� attacks rather than DOS, despite enabling DOS detection within the product. Dragon includes full packet reassembly capabilities and resistance to common IDS evasion techniques when correctly configured (this is not configured by default �out of the box�), and thus handled both the fragrouter and Whisker attacks flawlessly. There was a sharp decline in performance of the sensor at high loads under Red Hat Linux. As tested, therefore (under Red Hat Linux), we would recommend Dragon for use on segments that are unlikely to be very heavily loaded. In order to obtain the maximum performance, it would be our recommendation to run critical Dragon IDS systems on Sparc platforms, and to ensure that Intel-based systems adhere strictly to Enterasys� hardware and software recommendations - OpenBSD and Intel network cards would be our preferred combination on Intel platforms. Click here
to return to the Enterasys Dragon Sensor 4.2 Review |
Send mail to webmaster
with questions or�
|