 |
|
|
Summary - Performance Testing In the performance tests we noticed a range of results from the excellent to the �not so good�. We suspect that the Cisco Secure IDS 4210 may well have been suffering from pre-production problems, and it will hopefully be re-evaluated in our labs at some point in the future when the problems have been ironed out. In the meantime, you should evaluate this product carefully under load in your own environment if you are considering purchase. RealSecure, SecureNet Pro, Snort and Dragon (under Red Hat Linux) all demonstrated some problems with handling detection on a network saturated with 64 byte packets, causing them to miss attacks under load. Both Snort and SecureNet Pro, however, proved themselves to be more than a match for our �real world� tests and would, we believe, perform well on any �normal� corporate network. Unfortunately, we were unable to re-test Dragon and RealSecure in time for this report. Given that in Edition 1 BlackICE Sentry provided the best overall performance coupled with a small footprint and very low CPU utilisation, we are looking forward to testing RealSecure 7 (which will incorporate the BlackICE technology) for the next Edition. With the removal of BlackICE as a stand-alone product this year (because of its acquisition by ISS), only Symantec NetProwler and Cisco Secure IDS Model 4230 achieved a 100 per cent detection rate across the board, although NFR�s NID-200 gave them a run for their money. The latter two products also represent the only turnkey appliances in our test (although Intrusion Inc. also produces appliances), which may be important to some. When partnered with the netForensics product, Cisco offered some of the best reporting capabilities of all the products on test (although this makes it a very expensive combination). The value for money offered by the excellent NFR product, however, is hard to ignore. Unfortunately, although it performed well under load, Symantec�s NetProwler tended to misrepresent many of the attacks detected and was the only one of the group that was outwitted by our IDS evasion techniques. This product is in need of updating, and we look forward to evaluating it again next year once that has happened. Of course, performance is not everything. In terms of management and monitoring, and in terms of signature database updates, all of the Network IDS products we have examined leave something to be desired in one way or another. Ideally, we would be looking for clear and intelligible alerting, and detailed reporting that can be printed directly or exported to a range of output options. An intuitive, easy-to-use interface that makes it simple to manage one or more remote sensors is very important, as is the ability to acquire signature updates automatically and distribute them throughout the organisation at the click of a mouse. The ability to schedule and automate signature distribution may also be useful to many organisations. Unfortunately, not one product quite manages to combine every one of our requirements � at least not yet. RealSecure continues to be one of the easiest to deploy and configure, and provides excellent real-time alerting and reporting capabilities. Computer Associates� new centralised administration console for eTrust is also impressive, although reporting is limited.� Symantec and nSecure both offer good centralised management capabilities, but are let down slightly by the fact that their interfaces are not always the most intuitive. Unfortunately, both NFR and Intrusion provide only a one-to-one management console out of the box. At least NFR does offer its Central Management Server as an option, but such a capability has yet to be developed for SecureNet Pro. The latter does have an optional centralised reporting and data mining capability, but no equivalent option for centralised policy distribution and signature update (although automatic signature update via RPMs is available on the SecureNet appliances). This would currently make it the least scalable of the products tested, and we are told that this will be addressed in a future release. The host-based IDS� were slightly more straightforward, since all performed their allotted tasks well. It is not easy to do a side-by-side comparison, however, since they do not all perform the same set of tasks. With the current uncertainty as to the ongoing availability of last year�s favourite �traditional� Host IDS system � CyberSafe Centrax � it is left to Symantec�s Intruder Alert to carry the flag in this area. Although the interface can be a little daunting at first, it is a very powerful tool once it has been mastered. For those who feel constantly bewildered by the abundance of cryptic information in their Windows Event Logs, LANguard S.E.L.M. is an essential purchase, since it provides a minimal-impact means of consolidating all Event Log information from multiple servers into a central database. It also does an excellent job of explaining the meaning of the log entries.� Tripwire continues to lead the way in File Integrity Assessment, and the product has continued to evolve and improve upon the version we examined last year. Tripwire should always be considered as complimentary to any other host-based IDS you may purchase. Finally, Entercept is the one product that we would unequivocally recommend to everyone, but especially to those who are forced to run Microsoft Web servers on a public-facing network. Entercept is the only intrusion prevention product we have evaluated, and the ability not only to detect and log attacks, but actually prevent them from happening helps to make systems that much more secure. Kernel-level agent software helps protect the host against both known and unknown attacks, and the provision of Web Server Agents secures Web server software within an almost impregnable vault where virtually all attacks will be prevented before hitting the server. Whatever other IDS software you buy, try to make room in your budget for Entercept. Click here to return to the IDS Index Section
|
 |
Send mail to webmaster
with questions or�
|
